formbook | 9c1501fbd2eb669ccbe4a41e37770191e954e6f0dd3e0a954a0670a91df3917c

Analysis

max time kernel
150s
max time network
149s
platform
windows10_x64
resource
win10v200430
submitted
10-07-2020 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation.exe
Size

233KB
MD5

560be75b2b6cfdace7266e5e345f242a
SHA1

0217bcea49f188b04f5d4b2d35c9c2e10be55189
SHA256

9c1501fbd2eb669ccbe4a41e37770191e954e6f0dd3e0a954a0670a91df3917c
SHA512

577e82392b55506580cff192eee0e389f5bc6a3c53939da1aa7fb73985425a2a3d98f6acf2fb6606be1278d6e3a62863a575ea910f27810eb4c7e5d6027b7ed1

Score

10^/10

trojan spyware stealer formbook persistence

Malware Config

Signatures

Suspicious use of SetThreadContext 119 IoCs

Processes:

Quotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exechkdsk.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exe

description	pid	process	target process
PID 1628 set thread context of 1844	1628	Quotation.exe	RegAsm.exe
PID 1844 set thread context of 2952	1844	RegAsm.exe	Explorer.EXE
PID 2052 set thread context of 2680	2052	Quotation.exe	RegAsm.exe
PID 2680 set thread context of 2952	2680	RegAsm.exe	Explorer.EXE
PID 1924 set thread context of 3972	1924	Quotation.exe	RegAsm.exe
PID 3972 set thread context of 2952	3972	RegAsm.exe	Explorer.EXE
PID 3384 set thread context of 744	3384	Quotation.exe	RegAsm.exe
PID 744 set thread context of 2952	744	RegAsm.exe	Explorer.EXE
PID 1100 set thread context of 1876	1100	Quotation.exe	RegAsm.exe
PID 1648 set thread context of 2952	1648	chkdsk.exe	Explorer.EXE
PID 1876 set thread context of 2952	1876	RegAsm.exe	Explorer.EXE
PID 3588 set thread context of 1116	3588	Quotation.exe	RegAsm.exe
PID 1116 set thread context of 2952	1116	RegAsm.exe	Explorer.EXE
PID 744 set thread context of 2952	744	RegAsm.exe	Explorer.EXE
PID 3692 set thread context of 1840	3692	Quotation.exe	RegAsm.exe
PID 1840 set thread context of 2952	1840	RegAsm.exe	Explorer.EXE
PID 3248 set thread context of 2968	3248	Quotation.exe	RegAsm.exe
PID 2968 set thread context of 2952	2968	RegAsm.exe	Explorer.EXE
PID 2036 set thread context of 3796	2036	Quotation.exe	RegAsm.exe
PID 3796 set thread context of 2952	3796	RegAsm.exe	Explorer.EXE
PID 2840 set thread context of 3996	2840	Quotation.exe	RegAsm.exe
PID 3996 set thread context of 2952	3996	RegAsm.exe	Explorer.EXE
PID 3384 set thread context of 2216	3384	Quotation.exe	RegAsm.exe
PID 2216 set thread context of 2952	2216	RegAsm.exe	Explorer.EXE
PID 4056 set thread context of 1712	4056	Quotation.exe	RegAsm.exe
PID 1712 set thread context of 2952	1712	RegAsm.exe	Explorer.EXE
PID 64 set thread context of 2076	64	Quotation.exe	RegAsm.exe
PID 2076 set thread context of 2952	2076	RegAsm.exe	Explorer.EXE
PID 3800 set thread context of 3648	3800	Quotation.exe	RegAsm.exe
PID 3648 set thread context of 2952	3648	RegAsm.exe	Explorer.EXE
PID 1436 set thread context of 2700	1436	Quotation.exe	RegAsm.exe
PID 2700 set thread context of 2952	2700	RegAsm.exe	Explorer.EXE
PID 1208 set thread context of 2808	1208	Quotation.exe	RegAsm.exe
PID 2808 set thread context of 2952	2808	RegAsm.exe	Explorer.EXE
PID 3428 set thread context of 1228	3428	Quotation.exe	RegAsm.exe
PID 1228 set thread context of 2952	1228	RegAsm.exe	Explorer.EXE
PID 1100 set thread context of 2760	1100	Quotation.exe	RegAsm.exe
PID 2760 set thread context of 2952	2760	RegAsm.exe	Explorer.EXE
PID 2944 set thread context of 3276	2944	Quotation.exe	RegAsm.exe
PID 3276 set thread context of 2952	3276	RegAsm.exe	Explorer.EXE
PID 3752 set thread context of 2300	3752	Quotation.exe	RegAsm.exe
PID 2300 set thread context of 2952	2300	RegAsm.exe	Explorer.EXE
PID 1660 set thread context of 3852	1660	Quotation.exe	RegAsm.exe
PID 3852 set thread context of 2952	3852	RegAsm.exe	Explorer.EXE
PID 3928 set thread context of 3356	3928	Quotation.exe	RegAsm.exe
PID 3356 set thread context of 2952	3356	RegAsm.exe	Explorer.EXE
PID 3428 set thread context of 1404	3428	Quotation.exe	RegAsm.exe
PID 1404 set thread context of 2952	1404	RegAsm.exe	Explorer.EXE
PID 992 set thread context of 1436	992	Quotation.exe	RegAsm.exe
PID 1436 set thread context of 2952	1436	RegAsm.exe	Explorer.EXE
PID 3356 set thread context of 2952	3356	RegAsm.exe	Explorer.EXE
PID 1440 set thread context of 2160	1440	Quotation.exe	RegAsm.exe
PID 2160 set thread context of 2952	2160	RegAsm.exe	Explorer.EXE
PID 1404 set thread context of 2952	1404	RegAsm.exe	Explorer.EXE
PID 2036 set thread context of 3868	2036	Quotation.exe	RegAsm.exe
PID 3868 set thread context of 2952	3868	RegAsm.exe	Explorer.EXE
PID 1660 set thread context of 4048	1660	Quotation.exe	RegAsm.exe
PID 4048 set thread context of 2952	4048	RegAsm.exe	Explorer.EXE
PID 4080 set thread context of 3820	4080	Quotation.exe	RegAsm.exe
PID 3820 set thread context of 2952	3820	RegAsm.exe	Explorer.EXE
PID 4052 set thread context of 3248	4052	Quotation.exe	RegAsm.exe
PID 3248 set thread context of 2952	3248	RegAsm.exe	Explorer.EXE
PID 2096 set thread context of 1560	2096	Quotation.exe	RegAsm.exe
PID 1560 set thread context of 2952	1560	RegAsm.exe	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 179 IoCs

Processes:

Quotation.exeRegAsm.exeQuotation.exeRegAsm.exechkdsk.exeQuotation.exeRegAsm.exehelp.exeQuotation.exeRegAsm.exechkdsk.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exesvchost.exeQuotation.exeRegAsm.exenetsh.exeNETSTAT.EXEQuotation.exeRegAsm.execolorcpl.exeQuotation.exeRegAsm.exeQuotation.exeexplorer.exeRegAsm.exenetsh.exeQuotation.exeRegAsm.exeipconfig.exeQuotation.exeRegAsm.exerundll32.exeQuotation.exeRegAsm.execmstp.exeQuotation.exeRegAsm.exeNETSTAT.EXEQuotation.exeRegAsm.exeQuotation.exeexplorer.exeRegAsm.exesvchost.exeQuotation.exeRegAsm.exewscript.exeExplorer.EXEQuotation.exeRegAsm.exesystray.exeQuotation.exeRegAsm.exemsdt.exeQuotation.exeRegAsm.execontrol.exe

description	pid	process
Token: SeDebugPrivilege	1628	Quotation.exe
Token: SeDebugPrivilege	1844	RegAsm.exe
Token: SeDebugPrivilege	2052	Quotation.exe
Token: SeDebugPrivilege	2680	RegAsm.exe
Token: SeDebugPrivilege	1648	chkdsk.exe
Token: SeDebugPrivilege	1924	Quotation.exe
Token: SeDebugPrivilege	3972	RegAsm.exe
Token: SeDebugPrivilege	3816	help.exe
Token: SeDebugPrivilege	3384	Quotation.exe
Token: SeDebugPrivilege	744	RegAsm.exe
Token: SeDebugPrivilege	3624	chkdsk.exe
Token: SeDebugPrivilege	1100	Quotation.exe
Token: SeDebugPrivilege	1876	RegAsm.exe
Token: SeDebugPrivilege	3588	Quotation.exe
Token: SeDebugPrivilege	1116	RegAsm.exe
Token: SeDebugPrivilege	1376	svchost.exe
Token: SeDebugPrivilege	3692	Quotation.exe
Token: SeDebugPrivilege	1840	RegAsm.exe
Token: SeDebugPrivilege	4044	netsh.exe
Token: SeDebugPrivilege	1532	NETSTAT.EXE
Token: SeDebugPrivilege	3248	Quotation.exe
Token: SeDebugPrivilege	2968	RegAsm.exe
Token: SeDebugPrivilege	2064	colorcpl.exe
Token: SeDebugPrivilege	2036	Quotation.exe
Token: SeDebugPrivilege	3796	RegAsm.exe
Token: SeDebugPrivilege	2840	Quotation.exe
Token: SeDebugPrivilege	1300	explorer.exe
Token: SeDebugPrivilege	3996	RegAsm.exe
Token: SeDebugPrivilege	3908	netsh.exe
Token: SeDebugPrivilege	3384	Quotation.exe
Token: SeDebugPrivilege	2216	RegAsm.exe
Token: SeDebugPrivilege	2768	ipconfig.exe
Token: SeDebugPrivilege	4056	Quotation.exe
Token: SeDebugPrivilege	1712	RegAsm.exe
Token: SeDebugPrivilege	3228	rundll32.exe
Token: SeDebugPrivilege	64	Quotation.exe
Token: SeDebugPrivilege	2076	RegAsm.exe
Token: SeDebugPrivilege	3584	cmstp.exe
Token: SeDebugPrivilege	3800	Quotation.exe
Token: SeDebugPrivilege	3648	RegAsm.exe
Token: SeDebugPrivilege	3044	NETSTAT.EXE
Token: SeDebugPrivilege	1436	Quotation.exe
Token: SeDebugPrivilege	2700	RegAsm.exe
Token: SeDebugPrivilege	1208	Quotation.exe
Token: SeDebugPrivilege	1980	explorer.exe
Token: SeDebugPrivilege	2808	RegAsm.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	3428	Quotation.exe
Token: SeDebugPrivilege	1228	RegAsm.exe
Token: SeDebugPrivilege	3132	wscript.exe
Token: SeShutdownPrivilege	2952	Explorer.EXE
Token: SeCreatePagefilePrivilege	2952	Explorer.EXE
Token: SeDebugPrivilege	1100	Quotation.exe
Token: SeDebugPrivilege	2760	RegAsm.exe
Token: SeDebugPrivilege	4004	systray.exe
Token: SeDebugPrivilege	2944	Quotation.exe
Token: SeDebugPrivilege	3276	RegAsm.exe
Token: SeDebugPrivilege	3824	msdt.exe
Token: SeDebugPrivilege	3752	Quotation.exe
Token: SeDebugPrivilege	2300	RegAsm.exe
Token: SeDebugPrivilege	740	control.exe
Token: SeShutdownPrivilege	2952	Explorer.EXE
Token: SeCreatePagefilePrivilege	2952	Explorer.EXE
Token: SeShutdownPrivilege	2952	Explorer.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	chkdsk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\FH4XBNAPFLU = "C:\\Program Files (x86)\\Ykfil4ht8\\s6qluhbhxz0x.exe"	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chkdsk.exechkdsk.exechkdsk.exechkdsk.exechkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious use of WriteProcessMemory 630 IoCs

Processes:

Quotation.exeExplorer.EXEQuotation.exechkdsk.exeQuotation.exeQuotation.exeQuotation.exeQuotation.exe

description	pid	process	target process
PID 1628 wrote to memory of 1844	1628	Quotation.exe	RegAsm.exe
PID 1628 wrote to memory of 1844	1628	Quotation.exe	RegAsm.exe
PID 1628 wrote to memory of 1844	1628	Quotation.exe	RegAsm.exe
PID 1628 wrote to memory of 1844	1628	Quotation.exe	RegAsm.exe
PID 2952 wrote to memory of 1648	2952	Explorer.EXE	chkdsk.exe
PID 2952 wrote to memory of 1648	2952	Explorer.EXE	chkdsk.exe
PID 2952 wrote to memory of 1648	2952	Explorer.EXE	chkdsk.exe
PID 1628 wrote to memory of 2052	1628	Quotation.exe	Quotation.exe
PID 1628 wrote to memory of 2052	1628	Quotation.exe	Quotation.exe
PID 1628 wrote to memory of 2052	1628	Quotation.exe	Quotation.exe
PID 2052 wrote to memory of 2680	2052	Quotation.exe	RegAsm.exe
PID 2052 wrote to memory of 2680	2052	Quotation.exe	RegAsm.exe
PID 2052 wrote to memory of 2680	2052	Quotation.exe	RegAsm.exe
PID 2052 wrote to memory of 2680	2052	Quotation.exe	RegAsm.exe
PID 2052 wrote to memory of 1924	2052	Quotation.exe	Quotation.exe
PID 2052 wrote to memory of 1924	2052	Quotation.exe	Quotation.exe
PID 2052 wrote to memory of 1924	2052	Quotation.exe	Quotation.exe
PID 2952 wrote to memory of 3816	2952	Explorer.EXE	help.exe
PID 2952 wrote to memory of 3816	2952	Explorer.EXE	help.exe
PID 2952 wrote to memory of 3816	2952	Explorer.EXE	help.exe
PID 1648 wrote to memory of 3860	1648	chkdsk.exe	cmd.exe
PID 1648 wrote to memory of 3860	1648	chkdsk.exe	cmd.exe
PID 1648 wrote to memory of 3860	1648	chkdsk.exe	cmd.exe
PID 1924 wrote to memory of 3820	1924	Quotation.exe	RegAsm.exe
PID 1924 wrote to memory of 3820	1924	Quotation.exe	RegAsm.exe
PID 1924 wrote to memory of 3820	1924	Quotation.exe	RegAsm.exe
PID 1924 wrote to memory of 3972	1924	Quotation.exe	RegAsm.exe
PID 1924 wrote to memory of 3972	1924	Quotation.exe	RegAsm.exe
PID 1924 wrote to memory of 3972	1924	Quotation.exe	RegAsm.exe
PID 1924 wrote to memory of 3972	1924	Quotation.exe	RegAsm.exe
PID 1924 wrote to memory of 3384	1924	Quotation.exe	Quotation.exe
PID 1924 wrote to memory of 3384	1924	Quotation.exe	Quotation.exe
PID 1924 wrote to memory of 3384	1924	Quotation.exe	Quotation.exe
PID 2952 wrote to memory of 3624	2952	Explorer.EXE	chkdsk.exe
PID 2952 wrote to memory of 3624	2952	Explorer.EXE	chkdsk.exe
PID 2952 wrote to memory of 3624	2952	Explorer.EXE	chkdsk.exe
PID 3384 wrote to memory of 744	3384	Quotation.exe	RegAsm.exe
PID 3384 wrote to memory of 744	3384	Quotation.exe	RegAsm.exe
PID 3384 wrote to memory of 744	3384	Quotation.exe	RegAsm.exe
PID 3384 wrote to memory of 744	3384	Quotation.exe	RegAsm.exe
PID 3384 wrote to memory of 1100	3384	Quotation.exe	Quotation.exe
PID 3384 wrote to memory of 1100	3384	Quotation.exe	Quotation.exe
PID 3384 wrote to memory of 1100	3384	Quotation.exe	Quotation.exe
PID 1100 wrote to memory of 1876	1100	Quotation.exe	RegAsm.exe
PID 1100 wrote to memory of 1876	1100	Quotation.exe	RegAsm.exe
PID 1100 wrote to memory of 1876	1100	Quotation.exe	RegAsm.exe
PID 1100 wrote to memory of 1876	1100	Quotation.exe	RegAsm.exe
PID 1100 wrote to memory of 3588	1100	Quotation.exe	Quotation.exe
PID 1100 wrote to memory of 3588	1100	Quotation.exe	Quotation.exe
PID 1100 wrote to memory of 3588	1100	Quotation.exe	Quotation.exe
PID 2952 wrote to memory of 1376	2952	Explorer.EXE	svchost.exe
PID 2952 wrote to memory of 1376	2952	Explorer.EXE	svchost.exe
PID 2952 wrote to memory of 1376	2952	Explorer.EXE	svchost.exe
PID 3588 wrote to memory of 1116	3588	Quotation.exe	RegAsm.exe
PID 3588 wrote to memory of 1116	3588	Quotation.exe	RegAsm.exe
PID 3588 wrote to memory of 1116	3588	Quotation.exe	RegAsm.exe
PID 3588 wrote to memory of 1116	3588	Quotation.exe	RegAsm.exe
PID 3588 wrote to memory of 3692	3588	Quotation.exe	Quotation.exe
PID 3588 wrote to memory of 3692	3588	Quotation.exe	Quotation.exe
PID 3588 wrote to memory of 3692	3588	Quotation.exe	Quotation.exe
PID 2952 wrote to memory of 4044	2952	Explorer.EXE	netsh.exe
PID 2952 wrote to memory of 4044	2952	Explorer.EXE	netsh.exe
PID 2952 wrote to memory of 4044	2952	Explorer.EXE	netsh.exe
PID 2952 wrote to memory of 1532	2952	Explorer.EXE	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 251 IoCs

Processes:

Quotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exechkdsk.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exeQuotation.exeRegAsm.exe

pid	process
1628	Quotation.exe
1844	RegAsm.exe
2052	Quotation.exe
1844	RegAsm.exe
1844	RegAsm.exe
2680	RegAsm.exe
1924	Quotation.exe
1924	Quotation.exe
1648	chkdsk.exe
3972	RegAsm.exe
2680	RegAsm.exe
2680	RegAsm.exe
3384	Quotation.exe
744	RegAsm.exe
3972	RegAsm.exe
3972	RegAsm.exe
1100	Quotation.exe
1648	chkdsk.exe
1876	RegAsm.exe
3588	Quotation.exe
1116	RegAsm.exe
1876	RegAsm.exe
1876	RegAsm.exe
744	RegAsm.exe
3692	Quotation.exe
1840	RegAsm.exe
1116	RegAsm.exe
1116	RegAsm.exe
744	RegAsm.exe
744	RegAsm.exe
3248	Quotation.exe
2968	RegAsm.exe
1840	RegAsm.exe
1840	RegAsm.exe
2036	Quotation.exe
3796	RegAsm.exe
2968	RegAsm.exe
2968	RegAsm.exe
2840	Quotation.exe
3996	RegAsm.exe
3796	RegAsm.exe
3796	RegAsm.exe
3384	Quotation.exe
2216	RegAsm.exe
3996	RegAsm.exe
3996	RegAsm.exe
4056	Quotation.exe
1712	RegAsm.exe
2216	RegAsm.exe
2216	RegAsm.exe
64	Quotation.exe
64	Quotation.exe
2076	RegAsm.exe
1712	RegAsm.exe
1712	RegAsm.exe
3800	Quotation.exe
3800	Quotation.exe
3648	RegAsm.exe
2076	RegAsm.exe
2076	RegAsm.exe
1436	Quotation.exe
1436	Quotation.exe
2700	RegAsm.exe
3648	RegAsm.exe

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

chkdsk.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer chkdsk.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Explorer.EXE

pid process

2952 Explorer.EXE
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Explorer.EXE

pid process

2952 Explorer.EXE
Drops file in Program Files directory 1 IoCs

Processes:

chkdsk.exe

description ioc process

File opened for modification C:\Program Files (x86)\Ykfil4ht8\s6qluhbhxz0x.exe chkdsk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	chkdsk.exe

pid	process
2952	Explorer.EXE

pid	process
2952	Explorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ykfil4ht8\s6qluhbhxz0x.exe	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 21349 IoCs

Processes:

Quotation.exe

pid	process
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe
1628	Quotation.exe

js 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4320-360-0x0000000001230000-0x000000000152C000-memory.dmp	js
behavioral2/memory/4320-361-0x0000000001230000-0x000000000152C000-memory.dmp	js

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2952

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1844

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:2680

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:3820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3972

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:3384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:744

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1876

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:3588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1116

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1840

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:2968

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3796

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3996

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:2216

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1712

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:64

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:2076

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3648

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:2700

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
22⤵
- Suspicious use of SetThreadContext
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious use of SetThreadContext
PID:3852

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
23⤵
- Suspicious use of SetThreadContext
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious use of SetThreadContext
PID:3356

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
24⤵
- Suspicious use of SetThreadContext
PID:3428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Suspicious use of SetThreadContext
PID:1404

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
25⤵
- Suspicious use of SetThreadContext
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious use of SetThreadContext
PID:1436

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
26⤵
- Suspicious use of SetThreadContext
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Suspicious use of SetThreadContext
PID:2160

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
27⤵
- Suspicious use of SetThreadContext
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:3632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious use of SetThreadContext
PID:3868

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
28⤵
- Suspicious use of SetThreadContext
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
- Suspicious use of SetThreadContext
PID:4048

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
29⤵
- Suspicious use of SetThreadContext
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
- Suspicious use of SetThreadContext
PID:3820

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
30⤵
- Suspicious use of SetThreadContext
PID:4052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
- Suspicious use of SetThreadContext
PID:3248

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
31⤵
- Suspicious use of SetThreadContext
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
- Suspicious use of SetThreadContext
PID:1560

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
32⤵
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
33⤵
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:3384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:1152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
34⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
35⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
36⤵
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
37⤵
PID:3384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
38⤵
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
39⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:3588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
40⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
41⤵
PID:4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
42⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:1152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
43⤵
PID:3876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
44⤵
PID:3272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:3644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
45⤵
PID:3924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
46⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
47⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
48⤵
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
49⤵
PID:3876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
50⤵
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
51⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
52⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
53⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
54⤵
PID:3368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:3324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
55⤵
PID:4172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
56⤵
PID:4272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:4328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:4336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
57⤵
PID:4392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
58⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
59⤵
PID:4616

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to policy start application
- Modifies Internet Explorer settings
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- System policy modification
- Drops file in Program Files directory
PID:1648

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:2804

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3792

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Enumerates system info in registry
PID:3624

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1404

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1396

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1436

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1440

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2036

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:996

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1208

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1188

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1300

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1168

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3748

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3752

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2036

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:1772

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:496

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1416

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1216

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
PID:3652

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:2012

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:1724

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:1408

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:1752

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:3756

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:2780

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
PID:2860

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:1372

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
PID:3684

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:3804

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
PID:1188

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:3428

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:3596

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:2880

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:3244

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:1600

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:3736

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:3420

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:2676

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:1152

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
PID:756

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:1448

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:3928

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:1168

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:1016

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:2052

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:60

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:3008

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:4164

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:4320

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:4424

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:4540

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:4648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Download Submit
C:\Users\Admin\AppData\Roaming\972B4OAV\972logim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\972B4OAV\972logrf.ini

Download Submit
C:\Users\Admin\AppData\Roaming\972B4OAV\972logrg.ini

Download Submit
C:\Users\Admin\AppData\Roaming\972B4OAV\972logri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\972B4OAV\972logrv.ini

Download Submit
memory/60-339-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/60-337-0x0000000000000000-mapping.dmp

Download
memory/60-338-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/64-72-0x0000000000000000-mapping.dmp

Download
memory/496-140-0x0000000000CF0000-0x0000000000D0F000-memory.dmp

Filesize
124KB

Download
memory/496-139-0x0000000000000000-mapping.dmp

Download
memory/496-141-0x0000000000CF0000-0x0000000000D0F000-memory.dmp

Filesize
124KB

Download
memory/736-288-0x000000000041E2C0-mapping.dmp

Download
memory/740-126-0x0000000000000000-mapping.dmp

Download
memory/740-127-0x00000000011C0000-0x00000000011E0000-memory.dmp

Filesize
128KB

Download
memory/740-128-0x00000000011C0000-0x00000000011E0000-memory.dmp

Filesize
128KB

Download
memory/744-18-0x000000000041E2C0-mapping.dmp

Download
memory/756-298-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/756-297-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/756-296-0x0000000000000000-mapping.dmp

Download
memory/992-149-0x0000000000000000-mapping.dmp

Download
memory/1016-321-0x0000000000000000-mapping.dmp

Download
memory/1016-322-0x00000000011C0000-0x00000000011E0000-memory.dmp

Filesize
128KB

Download
memory/1016-323-0x00000000011C0000-0x00000000011E0000-memory.dmp

Filesize
128KB

Download
memory/1100-335-0x000000000041E2C0-mapping.dmp

Download
memory/1100-103-0x0000000000000000-mapping.dmp

Download
memory/1100-19-0x0000000000000000-mapping.dmp

Download
memory/1116-29-0x000000000041E2C0-mapping.dmp

Download
memory/1152-290-0x0000000000000000-mapping.dmp

Download
memory/1152-291-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/1152-292-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/1168-316-0x0000000001360000-0x0000000001377000-memory.dmp

Filesize
92KB

Download
memory/1168-317-0x0000000001360000-0x0000000001377000-memory.dmp

Filesize
92KB

Download
memory/1168-315-0x0000000000000000-mapping.dmp

Download
memory/1188-233-0x0000000000000000-mapping.dmp

Download
memory/1188-235-0x0000000001210000-0x000000000121B000-memory.dmp

Filesize
44KB

Download
memory/1188-234-0x0000000001210000-0x000000000121B000-memory.dmp

Filesize
44KB

Download
memory/1208-90-0x0000000000000000-mapping.dmp

Download
memory/1228-102-0x000000000041E2C0-mapping.dmp

Download
memory/1300-55-0x0000000001250000-0x000000000168F000-memory.dmp

Filesize
4.2MB

Download
memory/1300-54-0x0000000001250000-0x000000000168F000-memory.dmp

Filesize
4.2MB

Download
memory/1300-53-0x0000000000000000-mapping.dmp

Download
memory/1332-276-0x000000000041E2C0-mapping.dmp

Download
memory/1372-215-0x0000000000B40000-0x0000000000B46000-memory.dmp

Filesize
24KB

Download
memory/1372-216-0x0000000000B40000-0x0000000000B46000-memory.dmp

Filesize
24KB

Download
memory/1372-214-0x0000000000000000-mapping.dmp

Download
memory/1376-31-0x0000000000000000-mapping.dmp

Download
memory/1376-32-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/1376-33-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/1396-238-0x0000000000000000-mapping.dmp

Download
memory/1404-148-0x000000000041E2C0-mapping.dmp

Download
memory/1408-180-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/1408-179-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/1408-178-0x0000000000000000-mapping.dmp

Download
memory/1436-151-0x000000000041E2C0-mapping.dmp

Download
memory/1436-84-0x0000000000000000-mapping.dmp

Download
memory/1440-152-0x0000000000000000-mapping.dmp

Download
memory/1440-294-0x000000000041E2C0-mapping.dmp

Download
memory/1448-304-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/1448-303-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/1448-302-0x0000000000000000-mapping.dmp

Download
memory/1456-225-0x0000000000000000-mapping.dmp

Download
memory/1532-41-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/1532-40-0x0000000000000000-mapping.dmp

Download
memory/1532-42-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/1560-195-0x000000000041E2C0-mapping.dmp

Download
memory/1600-267-0x0000000000CF0000-0x0000000000D0F000-memory.dmp

Filesize
124KB

Download
memory/1600-266-0x0000000000CF0000-0x0000000000D0F000-memory.dmp

Filesize
124KB

Download
memory/1600-265-0x0000000000000000-mapping.dmp

Download
memory/1632-329-0x0000000000000000-mapping.dmp

Download
memory/1648-8-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/1648-7-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/1648-27-0x00000000062F0000-0x0000000006477000-memory.dmp

Filesize
1.5MB

Download
memory/1648-6-0x0000000000000000-mapping.dmp

Download
memory/1652-255-0x000000000041E2C0-mapping.dmp

Download
memory/1660-122-0x0000000000000000-mapping.dmp

Download
memory/1660-344-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/1660-295-0x0000000000000000-mapping.dmp

Download
memory/1660-342-0x0000000000000000-mapping.dmp

Download
memory/1660-166-0x0000000000000000-mapping.dmp

Download
memory/1660-343-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/1688-319-0x000000000041E2C0-mapping.dmp

Download
memory/1712-71-0x000000000041E2C0-mapping.dmp

Download
memory/1720-341-0x000000000041E2C0-mapping.dmp

Download
memory/1724-172-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/1724-171-0x0000000000000000-mapping.dmp

Download
memory/1724-173-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/1752-186-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/1752-185-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/1752-184-0x0000000000000000-mapping.dmp

Download
memory/1772-133-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/1772-132-0x0000000000000000-mapping.dmp

Download
memory/1772-134-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/1840-35-0x000000000041E2C0-mapping.dmp

Download
memory/1844-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1844-1-0x000000000041E2C0-mapping.dmp

Download
memory/1876-25-0x000000000041E2C0-mapping.dmp

Download
memory/1884-219-0x0000000000000000-mapping.dmp

Download
memory/1924-5-0x0000000000000000-mapping.dmp

Download
memory/1980-93-0x0000000001250000-0x000000000168F000-memory.dmp

Filesize
4.2MB

Download
memory/1980-92-0x0000000000000000-mapping.dmp

Download
memory/1980-94-0x0000000001250000-0x000000000168F000-memory.dmp

Filesize
4.2MB

Download
memory/2012-170-0x0000000000F40000-0x0000000000F52000-memory.dmp

Filesize
72KB

Download
memory/2012-168-0x0000000000000000-mapping.dmp

Download
memory/2012-169-0x0000000000F40000-0x0000000000F52000-memory.dmp

Filesize
72KB

Download
memory/2036-156-0x0000000000000000-mapping.dmp

Download
memory/2036-45-0x0000000000000000-mapping.dmp

Download
memory/2036-289-0x0000000000000000-mapping.dmp

Download
memory/2040-301-0x0000000000000000-mapping.dmp

Download
memory/2052-2-0x0000000000000000-mapping.dmp

Download
memory/2052-330-0x0000000000000000-mapping.dmp

Download
memory/2052-332-0x0000000001250000-0x000000000168F000-memory.dmp

Filesize
4.2MB

Download
memory/2052-331-0x0000000001250000-0x000000000168F000-memory.dmp

Filesize
4.2MB

Download
memory/2064-48-0x00000000008C0000-0x00000000008D9000-memory.dmp

Filesize
100KB

Download
memory/2064-47-0x00000000008C0000-0x00000000008D9000-memory.dmp

Filesize
100KB

Download
memory/2064-46-0x0000000000000000-mapping.dmp

Download
memory/2076-77-0x000000000041E2C0-mapping.dmp

Download
memory/2084-212-0x000000000041E2C0-mapping.dmp

Download
memory/2096-189-0x0000000000000000-mapping.dmp

Download
memory/2160-155-0x000000000041E2C0-mapping.dmp

Download
memory/2216-64-0x000000000041E2C0-mapping.dmp

Download
memory/2300-121-0x000000000041E2C0-mapping.dmp

Download
memory/2496-224-0x000000000041E2C0-mapping.dmp

Download
memory/2504-218-0x000000000041E2C0-mapping.dmp

Download
memory/2512-243-0x000000000041E2C0-mapping.dmp

Download
memory/2512-207-0x0000000000000000-mapping.dmp

Download
memory/2532-326-0x0000000000000000-mapping.dmp

Download
memory/2672-328-0x000000000041E2C0-mapping.dmp

Download
memory/2676-285-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/2676-284-0x0000000000000000-mapping.dmp

Download
memory/2676-286-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/2680-4-0x000000000041E2C0-mapping.dmp

Download
memory/2684-244-0x0000000000000000-mapping.dmp

Download
memory/2700-89-0x000000000041E2C0-mapping.dmp

Download
memory/2760-108-0x000000000041E2C0-mapping.dmp

Download
memory/2768-69-0x0000000001210000-0x000000000121B000-memory.dmp

Filesize
44KB

Download
memory/2768-67-0x0000000000000000-mapping.dmp

Download
memory/2768-68-0x0000000001210000-0x000000000121B000-memory.dmp

Filesize
44KB

Download
memory/2780-198-0x00000000000C0000-0x00000000000D3000-memory.dmp

Filesize
76KB

Download
memory/2780-197-0x0000000000000000-mapping.dmp

Download
memory/2780-203-0x00000000000C0000-0x00000000000D3000-memory.dmp

Filesize
76KB

Download
memory/2784-313-0x000000000041E2C0-mapping.dmp

Download
memory/2804-124-0x0000000000000000-mapping.dmp

Download
memory/2808-96-0x000000000041E2C0-mapping.dmp

Download
memory/2840-51-0x0000000000000000-mapping.dmp

Download
memory/2860-209-0x0000000001210000-0x000000000121B000-memory.dmp

Filesize
44KB

Download
memory/2860-210-0x0000000001210000-0x000000000121B000-memory.dmp

Filesize
44KB

Download
memory/2860-208-0x0000000000000000-mapping.dmp

Download
memory/2880-253-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/2880-251-0x0000000000000000-mapping.dmp

Download
memory/2880-252-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/2944-160-0x0000000000830000-0x00000000009A3000-memory.dmp

Filesize
1.4MB

Download
memory/2944-159-0x0000000000830000-0x00000000009A3000-memory.dmp

Filesize
1.4MB

Download
memory/2944-158-0x0000000000000000-mapping.dmp

Download
memory/2944-109-0x0000000000000000-mapping.dmp

Download
memory/2948-250-0x0000000000000000-mapping.dmp

Download
memory/2952-257-0x000000000BFA0000-0x000000000C0C7000-memory.dmp

Filesize
1.2MB

Download
memory/2952-271-0x000000000C220000-0x000000000C2F6000-memory.dmp

Filesize
856KB

Download
memory/2952-308-0x000000000C850000-0x000000000C9A9000-memory.dmp

Filesize
1.3MB

Download
memory/2952-264-0x000000000C0D0000-0x000000000C212000-memory.dmp

Filesize
1.3MB

Download
memory/2952-190-0x000000000B590000-0x000000000B675000-memory.dmp

Filesize
916KB

Download
memory/2952-365-0x000000000D500000-0x000000000D656000-memory.dmp

Filesize
1.3MB

Download
memory/2952-138-0x0000000008730000-0x0000000008819000-memory.dmp

Filesize
932KB

Download
memory/2952-123-0x0000000009960000-0x0000000009AFF000-memory.dmp

Filesize
1.6MB

Download
memory/2952-20-0x0000000005740000-0x000000000584B000-memory.dmp

Filesize
1.0MB

Download
memory/2952-333-0x000000000CE50000-0x000000000CF12000-memory.dmp

Filesize
776KB

Download
memory/2952-59-0x0000000007380000-0x00000000074BC000-memory.dmp

Filesize
1.2MB

Download
memory/2952-167-0x00000000092B0000-0x00000000093A6000-memory.dmp

Filesize
984KB

Download
memory/2952-52-0x0000000007230000-0x0000000007372000-memory.dmp

Filesize
1.3MB

Download
memory/2952-153-0x000000000A100000-0x000000000A2A7000-memory.dmp

Filesize
1.7MB

Download
memory/2952-157-0x000000000AE90000-0x000000000AFD3000-memory.dmp

Filesize
1.3MB

Download
memory/2952-66-0x0000000006D80000-0x0000000006E6A000-memory.dmp

Filesize
936KB

Download
memory/2952-226-0x000000000BAD0000-0x000000000BBA4000-memory.dmp

Filesize
848KB

Download
memory/2952-91-0x00000000097B0000-0x0000000009951000-memory.dmp

Filesize
1.6MB

Download
memory/2952-116-0x0000000008F30000-0x000000000908E000-memory.dmp

Filesize
1.4MB

Download
memory/2952-177-0x000000000B170000-0x000000000B28E000-memory.dmp

Filesize
1.1MB

Download
memory/2952-345-0x000000000D0C0000-0x000000000D25B000-memory.dmp

Filesize
1.6MB

Download
memory/2952-13-0x0000000005610000-0x0000000005739000-memory.dmp

Filesize
1.2MB

Download
memory/2968-44-0x000000000041E2C0-mapping.dmp

Download
memory/3000-213-0x0000000000000000-mapping.dmp

Download
memory/3008-349-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/3008-347-0x0000000000000000-mapping.dmp

Download
memory/3008-348-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/3044-85-0x0000000000000000-mapping.dmp

Download
memory/3044-87-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/3044-86-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/3132-105-0x0000000000020000-0x0000000000047000-memory.dmp

Filesize
156KB

Download
memory/3132-106-0x0000000000020000-0x0000000000047000-memory.dmp

Filesize
156KB

Download
memory/3132-104-0x0000000000000000-mapping.dmp

Download
memory/3228-73-0x0000000000000000-mapping.dmp

Download
memory/3228-74-0x00000000000C0000-0x00000000000D3000-memory.dmp

Filesize
76KB

Download
memory/3228-75-0x00000000000C0000-0x00000000000D3000-memory.dmp

Filesize
76KB

Download
memory/3244-260-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/3244-259-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/3244-258-0x0000000000000000-mapping.dmp

Download
memory/3248-36-0x0000000000000000-mapping.dmp

Download
memory/3248-188-0x000000000041E2C0-mapping.dmp

Download
memory/3272-277-0x0000000000000000-mapping.dmp

Download
memory/3276-114-0x000000000041E2C0-mapping.dmp

Download
memory/3356-136-0x000000000041E2C0-mapping.dmp

Download
memory/3368-336-0x0000000000000000-mapping.dmp

Download
memory/3384-232-0x0000000000000000-mapping.dmp

Download
memory/3384-12-0x0000000000000000-mapping.dmp

Download
memory/3384-58-0x0000000000000000-mapping.dmp

Download
memory/3420-280-0x0000000001360000-0x0000000001377000-memory.dmp

Filesize
92KB

Download
memory/3420-279-0x0000000001360000-0x0000000001377000-memory.dmp

Filesize
92KB

Download
memory/3420-278-0x0000000000000000-mapping.dmp

Download
memory/3428-241-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/3428-137-0x0000000000000000-mapping.dmp

Download
memory/3428-240-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/3428-239-0x0000000000000000-mapping.dmp

Download
memory/3428-97-0x0000000000000000-mapping.dmp

Download
memory/3544-263-0x0000000000000000-mapping.dmp

Download
memory/3544-320-0x0000000000000000-mapping.dmp

Download
memory/3584-79-0x0000000000000000-mapping.dmp

Download
memory/3584-81-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/3584-80-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/3588-26-0x0000000000000000-mapping.dmp

Download
memory/3588-269-0x000000000041E2C0-mapping.dmp

Download
memory/3596-245-0x0000000000000000-mapping.dmp

Download
memory/3596-247-0x0000000000F40000-0x0000000000F52000-memory.dmp

Filesize
72KB

Download
memory/3596-246-0x0000000000F40000-0x0000000000F52000-memory.dmp

Filesize
72KB

Download
memory/3604-262-0x000000000041E2C0-mapping.dmp

Download
memory/3612-206-0x000000000041E2C0-mapping.dmp

Download
memory/3624-22-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/3624-23-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/3624-21-0x0000000000000000-mapping.dmp

Download
memory/3632-231-0x000000000041E2C0-mapping.dmp

Download
memory/3648-83-0x000000000041E2C0-mapping.dmp

Download
memory/3652-161-0x0000000000000000-mapping.dmp

Download
memory/3652-162-0x00000000008B0000-0x0000000000909000-memory.dmp

Filesize
356KB

Download
memory/3652-163-0x00000000008B0000-0x0000000000909000-memory.dmp

Filesize
356KB

Download
memory/3684-222-0x0000000000830000-0x00000000009A3000-memory.dmp

Filesize
1.4MB

Download
memory/3684-221-0x0000000000830000-0x00000000009A3000-memory.dmp

Filesize
1.4MB

Download
memory/3684-220-0x0000000000000000-mapping.dmp

Download
memory/3692-314-0x0000000000000000-mapping.dmp

Download
memory/3692-30-0x0000000000000000-mapping.dmp

Download
memory/3736-272-0x0000000000000000-mapping.dmp

Download
memory/3736-273-0x0000000001360000-0x0000000001377000-memory.dmp

Filesize
92KB

Download
memory/3736-274-0x0000000001360000-0x0000000001377000-memory.dmp

Filesize
92KB

Download
memory/3752-115-0x0000000000000000-mapping.dmp

Download
memory/3756-191-0x0000000000000000-mapping.dmp

Download
memory/3756-193-0x0000000000B40000-0x0000000000B46000-memory.dmp

Filesize
24KB

Download
memory/3756-192-0x0000000000B40000-0x0000000000B46000-memory.dmp

Filesize
24KB

Download
memory/3760-100-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/3760-98-0x0000000000000000-mapping.dmp

Download
memory/3760-99-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/3792-145-0x00007FF688500000-0x00007FF688593000-memory.dmp

Filesize
588KB

Download
memory/3792-143-0x0000000000000000-mapping.dmp

Download
memory/3792-144-0x00007FF688500000-0x00007FF688593000-memory.dmp

Filesize
588KB

Download
memory/3792-146-0x00007FF688500000-0x00007FF688593000-memory.dmp

Filesize
588KB

Download
memory/3796-50-0x000000000041E2C0-mapping.dmp

Download
memory/3800-78-0x0000000000000000-mapping.dmp

Download
memory/3804-227-0x0000000000000000-mapping.dmp

Download
memory/3804-228-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/3804-229-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/3816-14-0x0000000000000000-mapping.dmp

Download
memory/3816-16-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/3816-15-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/3820-182-0x000000000041E2C0-mapping.dmp

Download
memory/3824-118-0x0000000000830000-0x00000000009A3000-memory.dmp

Filesize
1.4MB

Download
memory/3824-117-0x0000000000000000-mapping.dmp

Download
memory/3824-119-0x0000000000830000-0x00000000009A3000-memory.dmp

Filesize
1.4MB

Download
memory/3832-300-0x000000000041E2C0-mapping.dmp

Download
memory/3836-282-0x000000000041E2C0-mapping.dmp

Download
memory/3852-130-0x000000000041E2C0-mapping.dmp

Download
memory/3860-9-0x0000000000000000-mapping.dmp

Download
memory/3868-165-0x000000000041E2C0-mapping.dmp

Download
memory/3872-249-0x000000000041E2C0-mapping.dmp

Download
memory/3876-307-0x0000000000000000-mapping.dmp

Download
memory/3876-270-0x0000000000000000-mapping.dmp

Download
memory/3908-61-0x0000000001350000-0x000000000136E000-memory.dmp

Filesize
120KB

Download
memory/3908-60-0x0000000000000000-mapping.dmp

Download
memory/3908-62-0x0000000001350000-0x000000000136E000-memory.dmp

Filesize
120KB

Download
memory/3912-306-0x000000000041E2C0-mapping.dmp

Download
memory/3924-283-0x0000000000000000-mapping.dmp

Download
memory/3928-131-0x0000000000000000-mapping.dmp

Download
memory/3928-311-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/3928-310-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/3928-309-0x0000000000000000-mapping.dmp

Download
memory/3948-325-0x000000000041E2C0-mapping.dmp

Download
memory/3972-11-0x000000000041E2C0-mapping.dmp

Download
memory/3996-57-0x000000000041E2C0-mapping.dmp

Download
memory/4004-110-0x0000000000000000-mapping.dmp

Download
memory/4004-112-0x0000000000B40000-0x0000000000B46000-memory.dmp

Filesize
24KB

Download
memory/4004-111-0x0000000000B40000-0x0000000000B46000-memory.dmp

Filesize
24KB

Download
memory/4032-256-0x0000000000000000-mapping.dmp

Download
memory/4044-37-0x0000000000000000-mapping.dmp

Download
memory/4044-39-0x0000000001350000-0x000000000136E000-memory.dmp

Filesize
120KB

Download
memory/4044-38-0x0000000001350000-0x000000000136E000-memory.dmp

Filesize
120KB

Download
memory/4048-175-0x000000000041E2C0-mapping.dmp

Download
memory/4052-183-0x0000000000000000-mapping.dmp

Download
memory/4056-237-0x000000000041E2C0-mapping.dmp

Download
memory/4056-65-0x0000000000000000-mapping.dmp

Download
memory/4056-196-0x0000000000000000-mapping.dmp

Download
memory/4080-176-0x0000000000000000-mapping.dmp

Download
memory/4164-353-0x0000000000000000-mapping.dmp

Download
memory/4164-354-0x00000000000C0000-0x00000000000D3000-memory.dmp

Filesize
76KB

Download
memory/4164-355-0x00000000000C0000-0x00000000000D3000-memory.dmp

Filesize
76KB

Download
memory/4172-346-0x0000000000000000-mapping.dmp

Download
memory/4224-351-0x000000000041E2C0-mapping.dmp

Download
memory/4272-352-0x0000000000000000-mapping.dmp

Download
memory/4320-359-0x0000000000000000-mapping.dmp

Download
memory/4320-360-0x0000000001230000-0x000000000152C000-memory.dmp

Filesize
3.0MB

Download
memory/4320-361-0x0000000001230000-0x000000000152C000-memory.dmp

Filesize
3.0MB

Download
memory/4344-357-0x000000000041E2C0-mapping.dmp

Download
memory/4392-358-0x0000000000000000-mapping.dmp

Download
memory/4424-368-0x0000000000B40000-0x0000000000B46000-memory.dmp

Filesize
24KB

Download
memory/4424-366-0x0000000000000000-mapping.dmp

Download
memory/4424-367-0x0000000000B40000-0x0000000000B46000-memory.dmp

Filesize
24KB

Download
memory/4456-363-0x000000000041E2C0-mapping.dmp

Download
memory/4504-364-0x0000000000000000-mapping.dmp

Download
memory/4540-372-0x0000000000000000-mapping.dmp

Download
memory/4540-373-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/4540-374-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/4568-370-0x000000000041E2C0-mapping.dmp

Download
memory/4616-371-0x0000000000000000-mapping.dmp

Download