asyncrat | 8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464

Analysis

max time kernel
121s
max time network
145s
platform
windows10_x64
resource
win10
submitted
17-08-2020 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
Size

1.0MB
MD5

9e1f450f05c4d65dd67853a910b5eaa3
SHA1

fdbf5e18b81a052753c6cc534d1b9fe7721e3e42
SHA256

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
SHA512

566184225a2f627040b2e0347a9c79c4265f2c3248163765b19a5cd899f4a172cecd51e6b95f4e5aad697dd17b569eceb5f6954032758e2e7dada838c38cf9e9

Score

10^/10

asyncrat azorult modiloader oski raccoon discovery evasion infostealer ransomware rat spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Mon Jul 6 14:33:03 2020 Launched at: 2020.08.17 - 00:00:55 GMT Bot_ID: 664A9041-4AC4-46F3-B3DC-87DB4D57890E_Admin Running on a desktop =R=A=C=C=O=O=N= - Cookies: 0 - Passwords: 5 - Files: 0 System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.51 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: GOHCSFBB - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (710 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.7B

marcristosc.ac.ug:6970

asdxcvxdfgdnbvrwe.ru:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
JYOhYhG62uqmKTlUY2Tiy97FVygkh2sM
anti_detection
false
autorun
false
bdos
false
delay
Default
host
marcristosc.ac.ug,asdxcvxdfgdnbvrwe.ru
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/804-133-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral2/memory/852-135-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral2/memory/804-136-0x000000000040616E-mapping.dmp	disable_win_def
behavioral2/memory/852-138-0x0000000000403BEE-mapping.dmp	disable_win_def
C:\Windows\Temp\setd1lx0.exe	disable_win_def
C:\Windows\temp\setd1lx0.exe	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.

Processes:

yara_rule

raccoon_log_file

yara_rule
raccoon_log_file

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4220-185-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4220-187-0x000000000040C75E-mapping.dmp	asyncrat

ModiLoader First Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1340-82-0x0000000000670000-0x0000000000680000-memory.dmp	modiloader_stage1

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1340-83-0x00000000036A0000-0x00000000036EB000-memory.dmp	modiloader_stage2

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

IOfdshachb.exeOIswervcsd.exeIOfdshachb.exeOIswervcsd.exe7FWZzSO2wc.exebgTJ7i6Stw.exea60GPIaRlw.exe3wU3c7M7Nh.exea60GPIaRlw.exe3wU3c7M7Nh.exebgTJ7i6Stw.exesetd1lx0.exe

pid	process
3844	IOfdshachb.exe
3956	OIswervcsd.exe
3172	IOfdshachb.exe
3328	OIswervcsd.exe
1340	7FWZzSO2wc.exe
1504	bgTJ7i6Stw.exe
1564	a60GPIaRlw.exe
3856	3wU3c7M7Nh.exe
804	a60GPIaRlw.exe
852	3wU3c7M7Nh.exe
4220	bgTJ7i6Stw.exe
4584	setd1lx0.exe

Loads dropped DLL 11 IoCs

Processes:

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exeOIswervcsd.exe

pid	process
3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
3328	OIswervcsd.exe
3328	OIswervcsd.exe
3328	OIswervcsd.exe
3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3wU3c7M7Nh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	3wU3c7M7Nh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	3wU3c7M7Nh.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

Processes:

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\cr6im03b56g32r\desktop.ini	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 6 IoCs

Processes:

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exeIOfdshachb.exeOIswervcsd.exea60GPIaRlw.exe3wU3c7M7Nh.exebgTJ7i6Stw.exe

description	pid	process	target process
PID 2008 set thread context of 3864	2008	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
PID 3844 set thread context of 3172	3844	IOfdshachb.exe	IOfdshachb.exe
PID 3956 set thread context of 3328	3956	OIswervcsd.exe	OIswervcsd.exe
PID 1564 set thread context of 804	1564	a60GPIaRlw.exe	a60GPIaRlw.exe
PID 3856 set thread context of 852	3856	3wU3c7M7Nh.exe	3wU3c7M7Nh.exe
PID 1504 set thread context of 4220	1504	bgTJ7i6Stw.exe	bgTJ7i6Stw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

OIswervcsd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OIswervcsd.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3212 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

412 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4740 taskkill.exe
1656 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OIswervcsd.exe

pid	process
3212	schtasks.exe

pid	process
412	timeout.exe

pid	process
4740	taskkill.exe
1656	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a60GPIaRlw.exe3wU3c7M7Nh.exebgTJ7i6Stw.exea60GPIaRlw.exe

pid	process
1564	a60GPIaRlw.exe
1564	a60GPIaRlw.exe
3856	3wU3c7M7Nh.exe
3856	3wU3c7M7Nh.exe
1504	bgTJ7i6Stw.exe
1504	bgTJ7i6Stw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exeIOfdshachb.exeOIswervcsd.exe

pid process

2008 8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
3844 IOfdshachb.exe
3956 OIswervcsd.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

taskkill.exebgTJ7i6Stw.exe3wU3c7M7Nh.exea60GPIaRlw.exea60GPIaRlw.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	1504	bgTJ7i6Stw.exe
Token: SeDebugPrivilege	3856	3wU3c7M7Nh.exe
Token: SeDebugPrivilege	1564	a60GPIaRlw.exe
Token: SeDebugPrivilege	804	a60GPIaRlw.exe
Token: SeDebugPrivilege	1164	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exeIOfdshachb.exeOIswervcsd.exea60GPIaRlw.exe

pid	process
2008	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
3844	IOfdshachb.exe
3956	OIswervcsd.exe
804	a60GPIaRlw.exe
804	a60GPIaRlw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exeIOfdshachb.exeOIswervcsd.exeOIswervcsd.execmd.exe8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.execmd.exe7FWZzSO2wc.exe

description	pid	process	target process
PID 2008 wrote to memory of 3844	2008	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	IOfdshachb.exe
PID 2008 wrote to memory of 3844	2008	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	IOfdshachb.exe
PID 2008 wrote to memory of 3844	2008	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	IOfdshachb.exe
PID 2008 wrote to memory of 3956	2008	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	OIswervcsd.exe
PID 2008 wrote to memory of 3956	2008	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	OIswervcsd.exe
PID 2008 wrote to memory of 3956	2008	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	OIswervcsd.exe
PID 2008 wrote to memory of 3864	2008	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
PID 2008 wrote to memory of 3864	2008	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
PID 2008 wrote to memory of 3864	2008	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
PID 2008 wrote to memory of 3864	2008	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
PID 3844 wrote to memory of 3172	3844	IOfdshachb.exe	IOfdshachb.exe
PID 3844 wrote to memory of 3172	3844	IOfdshachb.exe	IOfdshachb.exe
PID 3844 wrote to memory of 3172	3844	IOfdshachb.exe	IOfdshachb.exe
PID 3844 wrote to memory of 3172	3844	IOfdshachb.exe	IOfdshachb.exe
PID 3956 wrote to memory of 3328	3956	OIswervcsd.exe	OIswervcsd.exe
PID 3956 wrote to memory of 3328	3956	OIswervcsd.exe	OIswervcsd.exe
PID 3956 wrote to memory of 3328	3956	OIswervcsd.exe	OIswervcsd.exe
PID 3956 wrote to memory of 3328	3956	OIswervcsd.exe	OIswervcsd.exe
PID 3328 wrote to memory of 3904	3328	OIswervcsd.exe	cmd.exe
PID 3328 wrote to memory of 3904	3328	OIswervcsd.exe	cmd.exe
PID 3328 wrote to memory of 3904	3328	OIswervcsd.exe	cmd.exe
PID 3904 wrote to memory of 1656	3904	cmd.exe	taskkill.exe
PID 3904 wrote to memory of 1656	3904	cmd.exe	taskkill.exe
PID 3904 wrote to memory of 1656	3904	cmd.exe	taskkill.exe
PID 3864 wrote to memory of 1340	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	7FWZzSO2wc.exe
PID 3864 wrote to memory of 1340	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	7FWZzSO2wc.exe
PID 3864 wrote to memory of 1340	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	7FWZzSO2wc.exe
PID 3864 wrote to memory of 1504	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	bgTJ7i6Stw.exe
PID 3864 wrote to memory of 1504	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	bgTJ7i6Stw.exe
PID 3864 wrote to memory of 1504	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	bgTJ7i6Stw.exe
PID 3864 wrote to memory of 1564	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	a60GPIaRlw.exe
PID 3864 wrote to memory of 1564	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	a60GPIaRlw.exe
PID 3864 wrote to memory of 1564	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	a60GPIaRlw.exe
PID 3864 wrote to memory of 3856	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	3wU3c7M7Nh.exe
PID 3864 wrote to memory of 3856	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	3wU3c7M7Nh.exe
PID 3864 wrote to memory of 3856	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	3wU3c7M7Nh.exe
PID 3864 wrote to memory of 1728	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	cmd.exe
PID 3864 wrote to memory of 1728	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	cmd.exe
PID 3864 wrote to memory of 1728	3864	8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe	cmd.exe
PID 1728 wrote to memory of 412	1728	cmd.exe	timeout.exe
PID 1728 wrote to memory of 412	1728	cmd.exe	timeout.exe
PID 1728 wrote to memory of 412	1728	cmd.exe	timeout.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe
PID 1340 wrote to memory of 1688	1340	7FWZzSO2wc.exe	Notepad.exe

C:\Users\Admin\AppData\Local\Temp\8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
"C:\Users\Admin\AppData\Local\Temp\8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\IOfdshachb.exe
"C:\Users\Admin\AppData\Local\Temp\IOfdshachb.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3844

C:\Users\Admin\AppData\Local\Temp\IOfdshachb.exe
"C:\Users\Admin\AppData\Local\Temp\IOfdshachb.exe"
3⤵
- Executes dropped EXE
PID:3172

C:\Users\Admin\AppData\Local\Temp\OIswervcsd.exe
"C:\Users\Admin\AppData\Local\Temp\OIswervcsd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\OIswervcsd.exe
"C:\Users\Admin\AppData\Local\Temp\OIswervcsd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 3328 & erase C:\Users\Admin\AppData\Local\Temp\OIswervcsd.exe & RD /S /Q C:\\ProgramData\\278485785537780\\* & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 3328
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe
"C:\Users\Admin\AppData\Local\Temp\8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe"
2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:3864

C:\Users\Admin\AppData\Local\Temp\7FWZzSO2wc.exe
"C:\Users\Admin\AppData\Local\Temp\7FWZzSO2wc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\Notepad.exe
"C:\Windows\System32\Notepad.exe"
4⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\bgTJ7i6Stw.exe
"C:\Users\Admin\AppData\Local\Temp\bgTJ7i6Stw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IZxHxqmErtehZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD135.tmp"
4⤵
- Creates scheduled task(s)
PID:3212

C:\Users\Admin\AppData\Local\Temp\bgTJ7i6Stw.exe
"{path}"
4⤵
- Executes dropped EXE
PID:4220

C:\Users\Admin\AppData\Local\Temp\a60GPIaRlw.exe
"C:\Users\Admin\AppData\Local\Temp\a60GPIaRlw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Users\Admin\AppData\Local\Temp\a60GPIaRlw.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:804

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\b3e3gkrq.inf
5⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\3wU3c7M7Nh.exe
"C:\Users\Admin\AppData\Local\Temp\3wU3c7M7Nh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Users\Admin\AppData\Local\Temp\3wU3c7M7Nh.exe
"{path}"
4⤵
- Executes dropped EXE
- Windows security modification
PID:852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:412

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\setd1lx0.exe
2⤵
PID:4448

C:\Windows\temp\setd1lx0.exe
C:\Windows\temp\setd1lx0.exe
3⤵
- Executes dropped EXE
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
PID:4712

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a60GPIaRlw.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bgTJ7i6Stw.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Temp\3wU3c7M7Nh.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3wU3c7M7Nh.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3wU3c7M7Nh.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FWZzSO2wc.exe

MD5
d127f9bee5ec56dc1dea4fc56d53a81b

SHA1
dfec988bbc2ddf381af9a682a89243be18150708

SHA256
c10cdf38e26339e4373c7e0a9a119381e703c7b8404ce0ed694fb3aae286d9b9

SHA512
9a5fd90c65c0e054b9e27cb93a8cff451d8ba91c1f4c08d8ef84e5919c0f4997cd3daff4ffc64862c803233bf6ce25ac6db79c912c71b6b6c68f52020d82ea93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FWZzSO2wc.exe

MD5
d127f9bee5ec56dc1dea4fc56d53a81b

SHA1
dfec988bbc2ddf381af9a682a89243be18150708

SHA256
c10cdf38e26339e4373c7e0a9a119381e703c7b8404ce0ed694fb3aae286d9b9

SHA512
9a5fd90c65c0e054b9e27cb93a8cff451d8ba91c1f4c08d8ef84e5919c0f4997cd3daff4ffc64862c803233bf6ce25ac6db79c912c71b6b6c68f52020d82ea93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IOfdshachb.exe

MD5
3e26da4aeb8543d16a9b74a77ecbed12

SHA1
b0212c819541abe9c7363a10811a95182c47518a

SHA256
4cc662bef1d1307e43c80f4e7e77adad0a46a33beed9d2197c97355b22642d0f

SHA512
267f7ee5fe1d07f45116e547c148c385d957a4bbe5289c01154b0b21a90b68945ac2de2a1c7d1c207e277fc3396c6353639c0e045c27d8f590a601945867678c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IOfdshachb.exe

MD5
3e26da4aeb8543d16a9b74a77ecbed12

SHA1
b0212c819541abe9c7363a10811a95182c47518a

SHA256
4cc662bef1d1307e43c80f4e7e77adad0a46a33beed9d2197c97355b22642d0f

SHA512
267f7ee5fe1d07f45116e547c148c385d957a4bbe5289c01154b0b21a90b68945ac2de2a1c7d1c207e277fc3396c6353639c0e045c27d8f590a601945867678c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IOfdshachb.exe

MD5
3e26da4aeb8543d16a9b74a77ecbed12

SHA1
b0212c819541abe9c7363a10811a95182c47518a

SHA256
4cc662bef1d1307e43c80f4e7e77adad0a46a33beed9d2197c97355b22642d0f

SHA512
267f7ee5fe1d07f45116e547c148c385d957a4bbe5289c01154b0b21a90b68945ac2de2a1c7d1c207e277fc3396c6353639c0e045c27d8f590a601945867678c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIswervcsd.exe

MD5
9414c3ec2012caac9e6faba8c094e44a

SHA1
150ead3d07afa0075a35183ad5a12600b932e3fd

SHA256
517c5f9843afbc559dfa3281da5ea360a9d7abb998b29b6802335a707b59a982

SHA512
5e571c6355332292f4f843cde62069839ad243b329818c70dcf2c2d19deaa697e2dfc35578c493e9be5cd70c076a3747972613fecaf882a00c23b105138077d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIswervcsd.exe

MD5
9414c3ec2012caac9e6faba8c094e44a

SHA1
150ead3d07afa0075a35183ad5a12600b932e3fd

SHA256
517c5f9843afbc559dfa3281da5ea360a9d7abb998b29b6802335a707b59a982

SHA512
5e571c6355332292f4f843cde62069839ad243b329818c70dcf2c2d19deaa697e2dfc35578c493e9be5cd70c076a3747972613fecaf882a00c23b105138077d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIswervcsd.exe

MD5
9414c3ec2012caac9e6faba8c094e44a

SHA1
150ead3d07afa0075a35183ad5a12600b932e3fd

SHA256
517c5f9843afbc559dfa3281da5ea360a9d7abb998b29b6802335a707b59a982

SHA512
5e571c6355332292f4f843cde62069839ad243b329818c70dcf2c2d19deaa697e2dfc35578c493e9be5cd70c076a3747972613fecaf882a00c23b105138077d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a60GPIaRlw.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a60GPIaRlw.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a60GPIaRlw.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgTJ7i6Stw.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgTJ7i6Stw.exe

MD5
1f9445786d9bc14140669206fd7cda0f

SHA1
9b949988bb49e8c026020973f0010cd305c97baf

SHA256
82bc5eba22dc5eb72b08138bffbf1efa146e98418ed31d8f641c81e21f38596b

SHA512
472f58984f440b0643b641ce371aa20f3493ac33690ecd60f5d01913c1f2a5432e2fa2cc499ce8108ebf00f296d25a82bd16551d625b558b57154cbe741449f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgTJ7i6Stw.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD135.tmp

Download Submit
C:\Windows\Temp\setd1lx0.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\b3e3gkrq.inf

Download Submit
C:\Windows\temp\setd1lx0.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll

MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/412-66-0x0000000000000000-mapping.dmp

Download
memory/804-141-0x00000000710A0000-0x000000007178E000-memory.dmp

Filesize
6.9MB

Download
memory/804-133-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/804-136-0x000000000040616E-mapping.dmp

Download
memory/852-142-0x00000000710A0000-0x000000007178E000-memory.dmp

Filesize
6.9MB

Download
memory/852-135-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/852-138-0x0000000000403BEE-mapping.dmp

Download
memory/1164-232-0x00000000083C0000-0x00000000083C1000-memory.dmp

Filesize
4KB

Download
memory/1164-194-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/1164-150-0x0000000000000000-mapping.dmp

Download
memory/1164-170-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/1164-164-0x00000000710A0000-0x000000007178E000-memory.dmp

Filesize
6.9MB

Download
memory/1164-231-0x0000000006D60000-0x0000000006D61000-memory.dmp

Filesize
4KB

Download
memory/1164-189-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/1164-182-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/1164-167-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1164-196-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/1340-82-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/1340-83-0x00000000036A0000-0x00000000036EB000-memory.dmp

Filesize
300KB

Download
memory/1340-44-0x0000000000000000-mapping.dmp

Download
memory/1504-76-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/1504-56-0x00000000710A0000-0x000000007178E000-memory.dmp

Filesize
6.9MB

Download
memory/1504-71-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/1504-62-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1504-47-0x0000000000000000-mapping.dmp

Download
memory/1504-121-0x0000000007350000-0x000000000737F000-memory.dmp

Filesize
188KB

Download
memory/1504-130-0x0000000007390000-0x000000000739D000-memory.dmp

Filesize
52KB

Download
memory/1504-79-0x0000000006E20000-0x0000000006E24000-memory.dmp

Filesize
16KB

Download
memory/1564-123-0x00000000077F0000-0x0000000007819000-memory.dmp

Filesize
164KB

Download
memory/1564-55-0x00000000710A0000-0x000000007178E000-memory.dmp

Filesize
6.9MB

Download
memory/1564-50-0x0000000000000000-mapping.dmp

Download
memory/1564-129-0x00000000074E0000-0x00000000074E6000-memory.dmp

Filesize
24KB

Download
memory/1564-60-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/1656-43-0x0000000000000000-mapping.dmp

Download
memory/1688-125-0x0000000000000000-mapping.dmp

Download
memory/1688-165-0x0000000000000000-mapping.dmp

Download
memory/1688-96-0x0000000000000000-mapping.dmp

Download
memory/1688-97-0x0000000000000000-mapping.dmp

Download
memory/1688-98-0x0000000000000000-mapping.dmp

Download
memory/1688-99-0x0000000000000000-mapping.dmp

Download
memory/1688-100-0x0000000000000000-mapping.dmp

Download
memory/1688-101-0x0000000000000000-mapping.dmp

Download
memory/1688-102-0x0000000000000000-mapping.dmp

Download
memory/1688-103-0x0000000000000000-mapping.dmp

Download
memory/1688-104-0x0000000000000000-mapping.dmp

Download
memory/1688-105-0x0000000000000000-mapping.dmp

Download
memory/1688-106-0x0000000000000000-mapping.dmp

Download
memory/1688-107-0x0000000000000000-mapping.dmp

Download
memory/1688-108-0x0000000000000000-mapping.dmp

Download
memory/1688-109-0x0000000000000000-mapping.dmp

Download
memory/1688-110-0x0000000000000000-mapping.dmp

Download
memory/1688-111-0x0000000000000000-mapping.dmp

Download
memory/1688-112-0x0000000000000000-mapping.dmp

Download
memory/1688-113-0x0000000000000000-mapping.dmp

Download
memory/1688-114-0x0000000000000000-mapping.dmp

Download
memory/1688-115-0x0000000000000000-mapping.dmp

Download
memory/1688-116-0x0000000000000000-mapping.dmp

Download
memory/1688-117-0x0000000000000000-mapping.dmp

Download
memory/1688-118-0x0000000000000000-mapping.dmp

Download
memory/1688-119-0x0000000000000000-mapping.dmp

Download
memory/1688-94-0x0000000000000000-mapping.dmp

Download
memory/1688-120-0x0000000000000000-mapping.dmp

Download
memory/1688-93-0x0000000000000000-mapping.dmp

Download
memory/1688-230-0x0000000000000000-mapping.dmp

Download
memory/1688-124-0x0000000000000000-mapping.dmp

Download
memory/1688-229-0x0000000000000000-mapping.dmp

Download
memory/1688-126-0x0000000000000000-mapping.dmp

Download
memory/1688-127-0x0000000000000000-mapping.dmp

Download
memory/1688-228-0x0000000000000000-mapping.dmp

Download
memory/1688-92-0x0000000000000000-mapping.dmp

Download
memory/1688-91-0x0000000000000000-mapping.dmp

Download
memory/1688-131-0x0000000000000000-mapping.dmp

Download
memory/1688-132-0x0000000000000000-mapping.dmp

Download
memory/1688-90-0x0000000000000000-mapping.dmp

Download
memory/1688-134-0x0000000000000000-mapping.dmp

Download
memory/1688-89-0x0000000000000000-mapping.dmp

Download
memory/1688-88-0x0000000000000000-mapping.dmp

Download
memory/1688-137-0x0000000000000000-mapping.dmp

Download
memory/1688-87-0x0000000000000000-mapping.dmp

Download
memory/1688-86-0x0000000000000000-mapping.dmp

Download
memory/1688-85-0x0000000000000000-mapping.dmp

Download
memory/1688-143-0x0000000000000000-mapping.dmp

Download
memory/1688-84-0x0000000000000000-mapping.dmp

Download
memory/1688-227-0x0000000000000000-mapping.dmp

Download
memory/1688-146-0x0000000000000000-mapping.dmp

Download
memory/1688-225-0x0000000000000000-mapping.dmp

Download
memory/1688-151-0x0000000000000000-mapping.dmp

Download
memory/1688-153-0x0000000000000000-mapping.dmp

Download
memory/1688-223-0x0000000000000000-mapping.dmp

Download
memory/1688-155-0x0000000000000000-mapping.dmp

Download
memory/1688-221-0x0000000000000000-mapping.dmp

Download
memory/1688-157-0x0000000000000000-mapping.dmp

Download
memory/1688-219-0x0000000000000000-mapping.dmp

Download
memory/1688-218-0x0000000000000000-mapping.dmp

Download
memory/1688-159-0x0000000000000000-mapping.dmp

Download
memory/1688-162-0x0000000000000000-mapping.dmp

Download
memory/1688-163-0x0000000000000000-mapping.dmp

Download
memory/1688-95-0x0000000000000000-mapping.dmp

Download
memory/1688-213-0x0000000000000000-mapping.dmp

Download
memory/1688-166-0x0000000000000000-mapping.dmp

Download
memory/1688-211-0x0000000000000000-mapping.dmp

Download
memory/1688-168-0x0000000000000000-mapping.dmp

Download
memory/1688-169-0x0000000000000000-mapping.dmp

Download
memory/1688-210-0x0000000000000000-mapping.dmp

Download
memory/1688-171-0x0000000000000000-mapping.dmp

Download
memory/1688-209-0x0000000000000000-mapping.dmp

Download
memory/1688-173-0x0000000000000000-mapping.dmp

Download
memory/1688-174-0x0000000000000000-mapping.dmp

Download
memory/1688-175-0x0000000000000000-mapping.dmp

Download
memory/1688-176-0x0000000000000000-mapping.dmp

Download
memory/1688-177-0x0000000000000000-mapping.dmp

Download
memory/1688-178-0x0000000000000000-mapping.dmp

Download
memory/1688-179-0x0000000000000000-mapping.dmp

Download
memory/1688-180-0x0000000000000000-mapping.dmp

Download
memory/1688-181-0x0000000000000000-mapping.dmp

Download
memory/1688-208-0x0000000000000000-mapping.dmp

Download
memory/1688-184-0x0000000000000000-mapping.dmp

Download
memory/1688-207-0x0000000000000000-mapping.dmp

Download
memory/1688-186-0x0000000000000000-mapping.dmp

Download
memory/1688-206-0x0000000000000000-mapping.dmp

Download
memory/1688-205-0x0000000000000000-mapping.dmp

Download
memory/1688-190-0x0000000000000000-mapping.dmp

Download
memory/1688-204-0x0000000000000000-mapping.dmp

Download
memory/1688-203-0x0000000000000000-mapping.dmp

Download
memory/1688-202-0x0000000000000000-mapping.dmp

Download
memory/1688-200-0x0000000000000000-mapping.dmp

Download
memory/1688-199-0x0000000000000000-mapping.dmp

Download
memory/1688-195-0x0000000000000000-mapping.dmp

Download
memory/1728-54-0x0000000000000000-mapping.dmp

Download
memory/3172-16-0x000000000041A684-mapping.dmp

Download
memory/3172-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3172-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3212-158-0x0000000000000000-mapping.dmp

Download
memory/3328-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3328-19-0x0000000000417A8B-mapping.dmp

Download
memory/3328-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3328-37-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/3544-154-0x0000000000000000-mapping.dmp

Download
memory/3544-160-0x0000000004290000-0x0000000004391000-memory.dmp

Filesize
1.0MB

Download
memory/3844-2-0x0000000000000000-mapping.dmp

Download
memory/3856-53-0x0000000000000000-mapping.dmp

Download
memory/3856-122-0x0000000007730000-0x0000000007758000-memory.dmp

Filesize
160KB

Download
memory/3856-59-0x00000000710A0000-0x000000007178E000-memory.dmp

Filesize
6.9MB

Download
memory/3856-128-0x0000000005220000-0x0000000005224000-memory.dmp

Filesize
16KB

Download
memory/3856-73-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3856-67-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/3856-61-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3864-13-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3864-11-0x000000000043FA98-mapping.dmp

Download
memory/3864-8-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3904-41-0x0000000000000000-mapping.dmp

Download
memory/3956-5-0x0000000000000000-mapping.dmp

Download
memory/4220-187-0x000000000040C75E-mapping.dmp

Download
memory/4220-185-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4220-193-0x00000000710A0000-0x000000007178E000-memory.dmp

Filesize
6.9MB

Download
memory/4448-201-0x0000000000000000-mapping.dmp

Download
memory/4584-220-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/4584-217-0x00007FFD040E0000-0x00007FFD04ACC000-memory.dmp

Filesize
9.9MB

Download
memory/4584-214-0x0000000000000000-mapping.dmp

Download
memory/4584-212-0x0000000000000000-mapping.dmp

Download
memory/4712-224-0x0000000000000000-mapping.dmp

Download
memory/4740-226-0x0000000000000000-mapping.dmp

Download