asyncrat | c686c7b2fff2ad2853c1d450d44fcf96ff3df67f34205b6b4e0352153893c924

Analysis

max time kernel
148s
max time network
147s
platform
windows10_x64
resource
win10
submitted
13-10-2020 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

826d68f6e4a2c308e91aad81c8368443.exe
Size

1.3MB
MD5

826d68f6e4a2c308e91aad81c8368443
SHA1

66cffe0dc5cb3de1f5c0e754bc0e21e712e756f0
SHA256

c686c7b2fff2ad2853c1d450d44fcf96ff3df67f34205b6b4e0352153893c924
SHA512

a0220d1ad77ec7a0bf008ae275b9c66ce480ec55e1eacc582e40cd5d383dabd5ca2af1ae3b534a5bc135fd88beef2e52f2600b2604243a987660b46bf24f604c

Score

10^/10

asyncrat azorult modiloader oski raccoon discovery evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2068-89-0x0000000001580000-0x0000000001585000-memory.dmp	disable_win_def
C:\Windows\Temp\vrpaqpx4.exe	disable_win_def
C:\Windows\temp\vrpaqpx4.exe	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

ModiLoader First Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2688-189-0x0000000002370000-0x000000000237F000-memory.dmp	modiloader_stage1

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

Gdyhfdfg.exeIytrgbdsf.exeIytrgbdsf.exeGdyhfdfg.exe0ccVX33fOj.exelqjgXwjmWN.exebfk1USsOJ5.exewSepg5d4fF.exebfk1USsOJ5.exe0ccVX33fOj.exewSepg5d4fF.exevrpaqpx4.exe

pid	process
2456	Gdyhfdfg.exe
3908	Iytrgbdsf.exe
876	Iytrgbdsf.exe
404	Gdyhfdfg.exe
656	0ccVX33fOj.exe
2688	lqjgXwjmWN.exe
4036	bfk1USsOJ5.exe
3544	wSepg5d4fF.exe
2068	bfk1USsOJ5.exe
2504	0ccVX33fOj.exe
1088	wSepg5d4fF.exe
2836	vrpaqpx4.exe

Loads dropped DLL 11 IoCs

Processes:

Iytrgbdsf.exe826d68f6e4a2c308e91aad81c8368443.exe

pid	process
876	Iytrgbdsf.exe
876	Iytrgbdsf.exe
876	Iytrgbdsf.exe
3948	826d68f6e4a2c308e91aad81c8368443.exe
3948	826d68f6e4a2c308e91aad81c8368443.exe
3948	826d68f6e4a2c308e91aad81c8368443.exe
3948	826d68f6e4a2c308e91aad81c8368443.exe
3948	826d68f6e4a2c308e91aad81c8368443.exe
3948	826d68f6e4a2c308e91aad81c8368443.exe
3948	826d68f6e4a2c308e91aad81c8368443.exe
3948	826d68f6e4a2c308e91aad81c8368443.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

wSepg5d4fF.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	wSepg5d4fF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	wSepg5d4fF.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

826d68f6e4a2c308e91aad81c8368443.exe

description ioc process

File created C:\Users\Admin\AppData\LocalLow\FLesFFxEsEs\desktop.ini 826d68f6e4a2c308e91aad81c8368443.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\FLesFFxEsEs\desktop.ini	826d68f6e4a2c308e91aad81c8368443.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

826d68f6e4a2c308e91aad81c8368443.exeIytrgbdsf.exeGdyhfdfg.exebfk1USsOJ5.exe0ccVX33fOj.exewSepg5d4fF.exe

description	pid	process	target process
PID 720 set thread context of 3948	720	826d68f6e4a2c308e91aad81c8368443.exe	826d68f6e4a2c308e91aad81c8368443.exe
PID 3908 set thread context of 876	3908	Iytrgbdsf.exe	Iytrgbdsf.exe
PID 2456 set thread context of 404	2456	Gdyhfdfg.exe	Gdyhfdfg.exe
PID 4036 set thread context of 2068	4036	bfk1USsOJ5.exe	bfk1USsOJ5.exe
PID 656 set thread context of 2504	656	0ccVX33fOj.exe	0ccVX33fOj.exe
PID 3544 set thread context of 1088	3544	wSepg5d4fF.exe	wSepg5d4fF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Iytrgbdsf.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Iytrgbdsf.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3784 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3500 taskkill.exe
1480 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Iytrgbdsf.exe

pid	process
3784	timeout.exe

pid	process
3500	taskkill.exe
1480	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

lqjgXwjmWN.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	lqjgXwjmWN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lqjgXwjmWN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bfk1USsOJ5.exe

pid	process
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

826d68f6e4a2c308e91aad81c8368443.exeIytrgbdsf.exeGdyhfdfg.exe

pid process

720 826d68f6e4a2c308e91aad81c8368443.exe
3908 Iytrgbdsf.exe
2456 Gdyhfdfg.exe

pid	process
720	826d68f6e4a2c308e91aad81c8368443.exe
3908	Iytrgbdsf.exe
2456	Gdyhfdfg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exebfk1USsOJ5.exe0ccVX33fOj.exewSepg5d4fF.exebfk1USsOJ5.exePowershell.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3500	taskkill.exe
Token: SeDebugPrivilege	4036	bfk1USsOJ5.exe
Token: SeDebugPrivilege	656	0ccVX33fOj.exe
Token: SeDebugPrivilege	3544	wSepg5d4fF.exe
Token: SeDebugPrivilege	2068	bfk1USsOJ5.exe
Token: SeDebugPrivilege	2364	Powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeIncreaseQuotaPrivilege	1456	powershell.exe
Token: SeSecurityPrivilege	1456	powershell.exe
Token: SeTakeOwnershipPrivilege	1456	powershell.exe
Token: SeLoadDriverPrivilege	1456	powershell.exe
Token: SeSystemProfilePrivilege	1456	powershell.exe
Token: SeSystemtimePrivilege	1456	powershell.exe
Token: SeProfSingleProcessPrivilege	1456	powershell.exe
Token: SeIncBasePriorityPrivilege	1456	powershell.exe
Token: SeCreatePagefilePrivilege	1456	powershell.exe
Token: SeBackupPrivilege	1456	powershell.exe
Token: SeRestorePrivilege	1456	powershell.exe
Token: SeShutdownPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeSystemEnvironmentPrivilege	1456	powershell.exe
Token: SeRemoteShutdownPrivilege	1456	powershell.exe
Token: SeUndockPrivilege	1456	powershell.exe
Token: SeManageVolumePrivilege	1456	powershell.exe
Token: 33	1456	powershell.exe
Token: 34	1456	powershell.exe
Token: 35	1456	powershell.exe
Token: 36	1456	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeIncreaseQuotaPrivilege	4424	powershell.exe
Token: SeSecurityPrivilege	4424	powershell.exe
Token: SeTakeOwnershipPrivilege	4424	powershell.exe
Token: SeLoadDriverPrivilege	4424	powershell.exe
Token: SeSystemProfilePrivilege	4424	powershell.exe
Token: SeSystemtimePrivilege	4424	powershell.exe
Token: SeProfSingleProcessPrivilege	4424	powershell.exe
Token: SeIncBasePriorityPrivilege	4424	powershell.exe
Token: SeCreatePagefilePrivilege	4424	powershell.exe
Token: SeBackupPrivilege	4424	powershell.exe
Token: SeRestorePrivilege	4424	powershell.exe
Token: SeShutdownPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeSystemEnvironmentPrivilege	4424	powershell.exe
Token: SeRemoteShutdownPrivilege	4424	powershell.exe
Token: SeUndockPrivilege	4424	powershell.exe
Token: SeManageVolumePrivilege	4424	powershell.exe
Token: 33	4424	powershell.exe
Token: 34	4424	powershell.exe
Token: 35	4424	powershell.exe
Token: 36	4424	powershell.exe
Token: SeIncreaseQuotaPrivilege	4960	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

826d68f6e4a2c308e91aad81c8368443.exeGdyhfdfg.exeIytrgbdsf.exebfk1USsOJ5.exe

pid process

720 826d68f6e4a2c308e91aad81c8368443.exe
2456 Gdyhfdfg.exe
3908 Iytrgbdsf.exe
2068 bfk1USsOJ5.exe
2068 bfk1USsOJ5.exe

pid	process
720	826d68f6e4a2c308e91aad81c8368443.exe
2456	Gdyhfdfg.exe
3908	Iytrgbdsf.exe
2068	bfk1USsOJ5.exe
2068	bfk1USsOJ5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

826d68f6e4a2c308e91aad81c8368443.exeIytrgbdsf.exeGdyhfdfg.exeIytrgbdsf.execmd.exe826d68f6e4a2c308e91aad81c8368443.execmd.exe0ccVX33fOj.exebfk1USsOJ5.exebfk1USsOJ5.exe

description	pid	process	target process
PID 720 wrote to memory of 2456	720	826d68f6e4a2c308e91aad81c8368443.exe	Gdyhfdfg.exe
PID 720 wrote to memory of 2456	720	826d68f6e4a2c308e91aad81c8368443.exe	Gdyhfdfg.exe
PID 720 wrote to memory of 2456	720	826d68f6e4a2c308e91aad81c8368443.exe	Gdyhfdfg.exe
PID 720 wrote to memory of 3908	720	826d68f6e4a2c308e91aad81c8368443.exe	Iytrgbdsf.exe
PID 720 wrote to memory of 3908	720	826d68f6e4a2c308e91aad81c8368443.exe	Iytrgbdsf.exe
PID 720 wrote to memory of 3908	720	826d68f6e4a2c308e91aad81c8368443.exe	Iytrgbdsf.exe
PID 720 wrote to memory of 3948	720	826d68f6e4a2c308e91aad81c8368443.exe	826d68f6e4a2c308e91aad81c8368443.exe
PID 720 wrote to memory of 3948	720	826d68f6e4a2c308e91aad81c8368443.exe	826d68f6e4a2c308e91aad81c8368443.exe
PID 720 wrote to memory of 3948	720	826d68f6e4a2c308e91aad81c8368443.exe	826d68f6e4a2c308e91aad81c8368443.exe
PID 720 wrote to memory of 3948	720	826d68f6e4a2c308e91aad81c8368443.exe	826d68f6e4a2c308e91aad81c8368443.exe
PID 3908 wrote to memory of 876	3908	Iytrgbdsf.exe	Iytrgbdsf.exe
PID 3908 wrote to memory of 876	3908	Iytrgbdsf.exe	Iytrgbdsf.exe
PID 3908 wrote to memory of 876	3908	Iytrgbdsf.exe	Iytrgbdsf.exe
PID 3908 wrote to memory of 876	3908	Iytrgbdsf.exe	Iytrgbdsf.exe
PID 2456 wrote to memory of 404	2456	Gdyhfdfg.exe	Gdyhfdfg.exe
PID 2456 wrote to memory of 404	2456	Gdyhfdfg.exe	Gdyhfdfg.exe
PID 2456 wrote to memory of 404	2456	Gdyhfdfg.exe	Gdyhfdfg.exe
PID 2456 wrote to memory of 404	2456	Gdyhfdfg.exe	Gdyhfdfg.exe
PID 876 wrote to memory of 480	876	Iytrgbdsf.exe	cmd.exe
PID 876 wrote to memory of 480	876	Iytrgbdsf.exe	cmd.exe
PID 876 wrote to memory of 480	876	Iytrgbdsf.exe	cmd.exe
PID 480 wrote to memory of 3500	480	cmd.exe	taskkill.exe
PID 480 wrote to memory of 3500	480	cmd.exe	taskkill.exe
PID 480 wrote to memory of 3500	480	cmd.exe	taskkill.exe
PID 3948 wrote to memory of 656	3948	826d68f6e4a2c308e91aad81c8368443.exe	0ccVX33fOj.exe
PID 3948 wrote to memory of 656	3948	826d68f6e4a2c308e91aad81c8368443.exe	0ccVX33fOj.exe
PID 3948 wrote to memory of 656	3948	826d68f6e4a2c308e91aad81c8368443.exe	0ccVX33fOj.exe
PID 3948 wrote to memory of 2688	3948	826d68f6e4a2c308e91aad81c8368443.exe	lqjgXwjmWN.exe
PID 3948 wrote to memory of 2688	3948	826d68f6e4a2c308e91aad81c8368443.exe	lqjgXwjmWN.exe
PID 3948 wrote to memory of 2688	3948	826d68f6e4a2c308e91aad81c8368443.exe	lqjgXwjmWN.exe
PID 3948 wrote to memory of 4036	3948	826d68f6e4a2c308e91aad81c8368443.exe	bfk1USsOJ5.exe
PID 3948 wrote to memory of 4036	3948	826d68f6e4a2c308e91aad81c8368443.exe	bfk1USsOJ5.exe
PID 3948 wrote to memory of 4036	3948	826d68f6e4a2c308e91aad81c8368443.exe	bfk1USsOJ5.exe
PID 3948 wrote to memory of 3544	3948	826d68f6e4a2c308e91aad81c8368443.exe	wSepg5d4fF.exe
PID 3948 wrote to memory of 3544	3948	826d68f6e4a2c308e91aad81c8368443.exe	wSepg5d4fF.exe
PID 3948 wrote to memory of 3544	3948	826d68f6e4a2c308e91aad81c8368443.exe	wSepg5d4fF.exe
PID 3948 wrote to memory of 3836	3948	826d68f6e4a2c308e91aad81c8368443.exe	cmd.exe
PID 3948 wrote to memory of 3836	3948	826d68f6e4a2c308e91aad81c8368443.exe	cmd.exe
PID 3948 wrote to memory of 3836	3948	826d68f6e4a2c308e91aad81c8368443.exe	cmd.exe
PID 3836 wrote to memory of 3784	3836	cmd.exe	timeout.exe
PID 3836 wrote to memory of 3784	3836	cmd.exe	timeout.exe
PID 3836 wrote to memory of 3784	3836	cmd.exe	timeout.exe
PID 656 wrote to memory of 2364	656	0ccVX33fOj.exe	Powershell.exe
PID 656 wrote to memory of 2364	656	0ccVX33fOj.exe	Powershell.exe
PID 656 wrote to memory of 2364	656	0ccVX33fOj.exe	Powershell.exe
PID 4036 wrote to memory of 2068	4036	bfk1USsOJ5.exe	bfk1USsOJ5.exe
PID 4036 wrote to memory of 2068	4036	bfk1USsOJ5.exe	bfk1USsOJ5.exe
PID 4036 wrote to memory of 2068	4036	bfk1USsOJ5.exe	bfk1USsOJ5.exe
PID 4036 wrote to memory of 2068	4036	bfk1USsOJ5.exe	bfk1USsOJ5.exe
PID 4036 wrote to memory of 2068	4036	bfk1USsOJ5.exe	bfk1USsOJ5.exe
PID 4036 wrote to memory of 2068	4036	bfk1USsOJ5.exe	bfk1USsOJ5.exe
PID 4036 wrote to memory of 2068	4036	bfk1USsOJ5.exe	bfk1USsOJ5.exe
PID 4036 wrote to memory of 2068	4036	bfk1USsOJ5.exe	bfk1USsOJ5.exe
PID 656 wrote to memory of 2504	656	0ccVX33fOj.exe	0ccVX33fOj.exe
PID 656 wrote to memory of 2504	656	0ccVX33fOj.exe	0ccVX33fOj.exe
PID 656 wrote to memory of 2504	656	0ccVX33fOj.exe	0ccVX33fOj.exe
PID 656 wrote to memory of 2504	656	0ccVX33fOj.exe	0ccVX33fOj.exe
PID 656 wrote to memory of 2504	656	0ccVX33fOj.exe	0ccVX33fOj.exe
PID 656 wrote to memory of 2504	656	0ccVX33fOj.exe	0ccVX33fOj.exe
PID 656 wrote to memory of 2504	656	0ccVX33fOj.exe	0ccVX33fOj.exe
PID 656 wrote to memory of 2504	656	0ccVX33fOj.exe	0ccVX33fOj.exe
PID 2068 wrote to memory of 3436	2068	bfk1USsOJ5.exe	cmstp.exe
PID 2068 wrote to memory of 3436	2068	bfk1USsOJ5.exe	cmstp.exe
PID 2068 wrote to memory of 3436	2068	bfk1USsOJ5.exe	cmstp.exe

C:\Users\Admin\AppData\Local\Temp\826d68f6e4a2c308e91aad81c8368443.exe
"C:\Users\Admin\AppData\Local\Temp\826d68f6e4a2c308e91aad81c8368443.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:720

C:\Users\Admin\AppData\Local\Temp\Gdyhfdfg.exe
"C:\Users\Admin\AppData\Local\Temp\Gdyhfdfg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Local\Temp\Gdyhfdfg.exe
"C:\Users\Admin\AppData\Local\Temp\Gdyhfdfg.exe"
3⤵
- Executes dropped EXE
PID:404

C:\Users\Admin\AppData\Local\Temp\Iytrgbdsf.exe
"C:\Users\Admin\AppData\Local\Temp\Iytrgbdsf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\Iytrgbdsf.exe
"C:\Users\Admin\AppData\Local\Temp\Iytrgbdsf.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 876 & erase C:\Users\Admin\AppData\Local\Temp\Iytrgbdsf.exe & RD /S /Q C:\\ProgramData\\365579113388757\\* & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 876
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Users\Admin\AppData\Local\Temp\826d68f6e4a2c308e91aad81c8368443.exe
"C:\Users\Admin\AppData\Local\Temp\826d68f6e4a2c308e91aad81c8368443.exe"
2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\0ccVX33fOj.exe
"C:\Users\Admin\AppData\Local\Temp\0ccVX33fOj.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\ddvlc.exe"'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Users\Admin\AppData\Local\Temp\0ccVX33fOj.exe
"C:\Users\Admin\AppData\Local\Temp\0ccVX33fOj.exe"
4⤵
- Executes dropped EXE
PID:2504

C:\Users\Admin\AppData\Local\Temp\lqjgXwjmWN.exe
"C:\Users\Admin\AppData\Local\Temp\lqjgXwjmWN.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2688

C:\Windows\SysWOW64\Notepad.exe
"C:\Windows\System32\Notepad.exe"
4⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\bfk1USsOJ5.exe
"C:\Users\Admin\AppData\Local\Temp\bfk1USsOJ5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\bfk1USsOJ5.exe
"C:\Users\Admin\AppData\Local\Temp\bfk1USsOJ5.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\euxse45q.inf
5⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\wSepg5d4fF.exe
"C:\Users\Admin\AppData\Local\Temp\wSepg5d4fF.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Users\Admin\AppData\Local\Temp\wSepg5d4fF.exe
"C:\Users\Admin\AppData\Local\Temp\wSepg5d4fF.exe"
4⤵
- Executes dropped EXE
- Windows security modification
PID:1088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\826d68f6e4a2c308e91aad81c8368443.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:3784

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\vrpaqpx4.exe
2⤵
PID:3416

C:\Windows\temp\vrpaqpx4.exe
C:\Windows\temp\vrpaqpx4.exe
3⤵
- Executes dropped EXE
PID:2836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0ccVX33fOj.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bfk1USsOJ5.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wSepg5d4fF.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ccVX33fOj.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ccVX33fOj.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ccVX33fOj.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gdyhfdfg.exe
MD5
241c5510dd1740289b7ec351b5d1148a

SHA1
5b8365b17bd66128b2729e33cd8dc16c239efb26

SHA256
708e621e3338fe5286b3b83214ab7037ca6d502c8c64fb21b82b52869b22d781

SHA512
519cc4184159091b7d2db81a17052dd7949a6f524ac27e3ab3969f78dd9ea0b2b14013b1cc6ac26ed2b4f7e6ce86b14157c20169fe0d261d47b00faee7e62584

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gdyhfdfg.exe
MD5
241c5510dd1740289b7ec351b5d1148a

SHA1
5b8365b17bd66128b2729e33cd8dc16c239efb26

SHA256
708e621e3338fe5286b3b83214ab7037ca6d502c8c64fb21b82b52869b22d781

SHA512
519cc4184159091b7d2db81a17052dd7949a6f524ac27e3ab3969f78dd9ea0b2b14013b1cc6ac26ed2b4f7e6ce86b14157c20169fe0d261d47b00faee7e62584

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gdyhfdfg.exe
MD5
241c5510dd1740289b7ec351b5d1148a

SHA1
5b8365b17bd66128b2729e33cd8dc16c239efb26

SHA256
708e621e3338fe5286b3b83214ab7037ca6d502c8c64fb21b82b52869b22d781

SHA512
519cc4184159091b7d2db81a17052dd7949a6f524ac27e3ab3969f78dd9ea0b2b14013b1cc6ac26ed2b4f7e6ce86b14157c20169fe0d261d47b00faee7e62584

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iytrgbdsf.exe
MD5
43ae58d1d4e86d2434e330ae0c93ef3b

SHA1
0ff0324a2bf7a6118ff0f18412779e4cc4685b71

SHA256
67d9607ec8ba7e1ebc4147030a53dc56d6fbe0eecda512739a02422785c934ae

SHA512
e8155036346031730b24e5869de16463cca7e88691e528098641aee3e3f8dddc7cd9b3e53fd1ee956e4357f7777b27be98e41c269f0ef29b1311f308efe87525

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iytrgbdsf.exe
MD5
43ae58d1d4e86d2434e330ae0c93ef3b

SHA1
0ff0324a2bf7a6118ff0f18412779e4cc4685b71

SHA256
67d9607ec8ba7e1ebc4147030a53dc56d6fbe0eecda512739a02422785c934ae

SHA512
e8155036346031730b24e5869de16463cca7e88691e528098641aee3e3f8dddc7cd9b3e53fd1ee956e4357f7777b27be98e41c269f0ef29b1311f308efe87525

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iytrgbdsf.exe
MD5
43ae58d1d4e86d2434e330ae0c93ef3b

SHA1
0ff0324a2bf7a6118ff0f18412779e4cc4685b71

SHA256
67d9607ec8ba7e1ebc4147030a53dc56d6fbe0eecda512739a02422785c934ae

SHA512
e8155036346031730b24e5869de16463cca7e88691e528098641aee3e3f8dddc7cd9b3e53fd1ee956e4357f7777b27be98e41c269f0ef29b1311f308efe87525

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfk1USsOJ5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfk1USsOJ5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfk1USsOJ5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqjgXwjmWN.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqjgXwjmWN.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wSepg5d4fF.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wSepg5d4fF.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wSepg5d4fF.exe

Download Submit
C:\Windows\Temp\vrpaqpx4.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\euxse45q.inf

Download Submit
C:\Windows\temp\vrpaqpx4.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/404-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/404-19-0x000000000041A684-mapping.dmp

Download
memory/404-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/480-32-0x0000000000000000-mapping.dmp

Download
memory/656-64-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/656-71-0x0000000005760000-0x0000000005787000-memory.dmp

Filesize
156KB

Download
memory/656-56-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/656-44-0x0000000000000000-mapping.dmp

Download
memory/656-47-0x0000000071FA0000-0x000000007268E000-memory.dmp

Filesize
6.9MB

Download
memory/876-21-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/876-16-0x0000000000417A8B-mapping.dmp

Download
memory/876-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1088-95-0x00000000004133EE-mapping.dmp

Download
memory/1088-99-0x0000000071FA0000-0x000000007268E000-memory.dmp

Filesize
6.9MB

Download
memory/1088-93-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1360-127-0x00000000085A0000-0x00000000085A1000-memory.dmp

Filesize
4KB

Download
memory/1360-179-0x0000000009820000-0x0000000009821000-memory.dmp

Filesize
4KB

Download
memory/1360-164-0x0000000009880000-0x0000000009881000-memory.dmp

Filesize
4KB

Download
memory/1360-106-0x0000000000000000-mapping.dmp

Download
memory/1360-146-0x0000000009360000-0x0000000009393000-memory.dmp

Filesize
204KB

Download
memory/1360-110-0x0000000071FA0000-0x000000007268E000-memory.dmp

Filesize
6.9MB

Download
memory/1456-163-0x0000024F260D0000-0x0000024F260D1000-memory.dmp

Filesize
4KB

Download
memory/1456-138-0x0000000000000000-mapping.dmp

Download
memory/1456-139-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/1456-142-0x0000024F25F20000-0x0000024F25F21000-memory.dmp

Filesize
4KB

Download
memory/1480-137-0x0000000000000000-mapping.dmp

Download
memory/2068-120-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/2068-121-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/2068-89-0x0000000001580000-0x0000000001585000-memory.dmp

Filesize
20KB

Download
memory/2068-79-0x0000000071FA0000-0x000000007268E000-memory.dmp

Filesize
6.9MB

Download
memory/2068-75-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2068-76-0x00000000004135CE-mapping.dmp

Download
memory/2364-124-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/2364-107-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/2364-98-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/2364-122-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/2364-87-0x0000000071FA0000-0x000000007268E000-memory.dmp

Filesize
6.9MB

Download
memory/2364-111-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/2364-109-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/2364-161-0x0000000008DD0000-0x0000000008DD1000-memory.dmp

Filesize
4KB

Download
memory/2364-170-0x0000000008F70000-0x0000000008F71000-memory.dmp

Filesize
4KB

Download
memory/2364-94-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/2364-73-0x0000000000000000-mapping.dmp

Download
memory/2364-108-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/2364-159-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

Filesize
4KB

Download
memory/2456-2-0x0000000000000000-mapping.dmp

Download
memory/2504-85-0x0000000071FA0000-0x000000007268E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-78-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2504-80-0x00000000004253BE-mapping.dmp

Download
memory/2504-141-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/2688-48-0x0000000000000000-mapping.dmp

Download
memory/2688-189-0x0000000002370000-0x000000000237F000-memory.dmp

Filesize
60KB

Download
memory/2836-131-0x0000000000000000-mapping.dmp

Download
memory/2836-135-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2836-134-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-130-0x0000000000000000-mapping.dmp

Download
memory/3416-129-0x0000000000000000-mapping.dmp

Download
memory/3436-91-0x0000000000000000-mapping.dmp

Download
memory/3436-104-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/3500-33-0x0000000000000000-mapping.dmp

Download
memory/3544-55-0x0000000000000000-mapping.dmp

Download
memory/3544-62-0x0000000071FA0000-0x000000007268E000-memory.dmp

Filesize
6.9MB

Download
memory/3544-66-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/3544-86-0x00000000056C0000-0x00000000056DE000-memory.dmp

Filesize
120KB

Download
memory/3784-69-0x0000000000000000-mapping.dmp

Download
memory/3836-58-0x0000000000000000-mapping.dmp

Download
memory/3908-5-0x0000000000000000-mapping.dmp

Download
memory/3948-12-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3948-13-0x0000000000440102-mapping.dmp

Download
memory/3948-14-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4036-54-0x0000000071FA0000-0x000000007268E000-memory.dmp

Filesize
6.9MB

Download
memory/4036-72-0x0000000004B30000-0x0000000004B3D000-memory.dmp

Filesize
52KB

Download
memory/4036-70-0x0000000004B10000-0x0000000004B2D000-memory.dmp

Filesize
116KB

Download
memory/4036-61-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/4036-51-0x0000000000000000-mapping.dmp

Download
memory/4208-194-0x0000000000000000-mapping.dmp

Download
memory/4208-203-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/4288-198-0x0000000000000000-mapping.dmp

Download
memory/4288-206-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/4412-202-0x0000000000000000-mapping.dmp

Download
memory/4412-209-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/4424-167-0x0000000000000000-mapping.dmp

Download
memory/4424-176-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/4456-168-0x0000000000000000-mapping.dmp

Download
memory/4456-178-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/4500-169-0x0000000000000000-mapping.dmp

Download
memory/4500-184-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/4564-185-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/4564-171-0x0000000000000000-mapping.dmp

Download
memory/4640-177-0x0000000000000000-mapping.dmp

Download
memory/4640-187-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/4740-190-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/4740-183-0x0000000000000000-mapping.dmp

Download
memory/4844-193-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/4844-186-0x0000000000000000-mapping.dmp

Download
memory/4960-196-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/4960-188-0x0000000000000000-mapping.dmp

Download
memory/5064-201-0x00007FFFBC6B0000-0x00007FFFBD09C000-memory.dmp

Filesize
9.9MB

Download
memory/5064-191-0x0000000000000000-mapping.dmp

Download
memory/5584-327-0x0000000000000000-mapping.dmp

Download
memory/5584-259-0x0000000000000000-mapping.dmp

Download
memory/5584-242-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/5584-243-0x0000000000000000-mapping.dmp

Download
memory/5584-245-0x0000000000000000-mapping.dmp

Download
memory/5584-247-0x0000000000000000-mapping.dmp

Download
memory/5584-249-0x0000000000000000-mapping.dmp

Download
memory/5584-251-0x0000000000000000-mapping.dmp

Download
memory/5584-253-0x0000000000000000-mapping.dmp

Download
memory/5584-255-0x0000000000000000-mapping.dmp

Download
memory/5584-257-0x0000000000000000-mapping.dmp

Download
memory/5584-335-0x0000000000000000-mapping.dmp

Download
memory/5584-261-0x0000000000000000-mapping.dmp

Download
memory/5584-263-0x0000000000000000-mapping.dmp

Download
memory/5584-265-0x0000000000000000-mapping.dmp

Download
memory/5584-267-0x0000000000000000-mapping.dmp

Download
memory/5584-269-0x0000000000000000-mapping.dmp

Download
memory/5584-271-0x0000000000000000-mapping.dmp

Download
memory/5584-273-0x0000000000000000-mapping.dmp

Download
memory/5584-275-0x0000000000000000-mapping.dmp

Download
memory/5584-277-0x0000000000000000-mapping.dmp

Download
memory/5584-337-0x0000000000000000-mapping.dmp

Download
memory/5584-281-0x0000000000000000-mapping.dmp

Download
memory/5584-283-0x0000000000000000-mapping.dmp

Download
memory/5584-285-0x0000000000000000-mapping.dmp

Download
memory/5584-287-0x0000000000000000-mapping.dmp

Download
memory/5584-289-0x0000000000000000-mapping.dmp

Download
memory/5584-291-0x0000000000000000-mapping.dmp

Download
memory/5584-293-0x0000000000000000-mapping.dmp

Download
memory/5584-295-0x0000000000000000-mapping.dmp

Download
memory/5584-297-0x0000000000000000-mapping.dmp

Download
memory/5584-299-0x0000000000000000-mapping.dmp

Download
memory/5584-301-0x0000000000000000-mapping.dmp

Download
memory/5584-303-0x0000000000000000-mapping.dmp

Download
memory/5584-305-0x0000000000000000-mapping.dmp

Download
memory/5584-307-0x0000000000000000-mapping.dmp

Download
memory/5584-309-0x0000000000000000-mapping.dmp

Download
memory/5584-311-0x0000000000000000-mapping.dmp

Download
memory/5584-313-0x0000000000000000-mapping.dmp

Download
memory/5584-333-0x0000000000000000-mapping.dmp

Download
memory/5584-317-0x0000000000000000-mapping.dmp

Download
memory/5584-319-0x0000000000000000-mapping.dmp

Download
memory/5584-321-0x0000000000000000-mapping.dmp

Download
memory/5584-323-0x0000000000000000-mapping.dmp

Download
memory/5584-325-0x0000000000000000-mapping.dmp

Download
memory/5584-240-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/5584-329-0x0000000000000000-mapping.dmp

Download
memory/5584-331-0x0000000000000000-mapping.dmp

Download
memory/5584-315-0x0000000000000000-mapping.dmp

Download
memory/5584-241-0x0000000000000000-mapping.dmp

Download
memory/5584-279-0x0000000000000000-mapping.dmp

Download
memory/5584-339-0x0000000000000000-mapping.dmp

Download
memory/5584-341-0x0000000000000000-mapping.dmp

Download
memory/5584-343-0x0000000000000000-mapping.dmp

Download
memory/5584-345-0x0000000000000000-mapping.dmp

Download
memory/5584-347-0x0000000000000000-mapping.dmp

Download
memory/5584-349-0x0000000000000000-mapping.dmp

Download
memory/5584-351-0x0000000000000000-mapping.dmp

Download
memory/5584-353-0x0000000000000000-mapping.dmp

Download
memory/5584-355-0x0000000000000000-mapping.dmp

Download
memory/5584-357-0x0000000000000000-mapping.dmp

Download
memory/5584-359-0x0000000000000000-mapping.dmp

Download
memory/5584-361-0x0000000000000000-mapping.dmp

Download
memory/5584-363-0x0000000000000000-mapping.dmp

Download
memory/5584-365-0x0000000000000000-mapping.dmp

Download
memory/5584-367-0x0000000000000000-mapping.dmp

Download
memory/5584-369-0x0000000000000000-mapping.dmp

Download
memory/5584-371-0x0000000000000000-mapping.dmp

Download
memory/5584-373-0x0000000000000000-mapping.dmp

Download
memory/5584-375-0x0000000000000000-mapping.dmp

Download
memory/5584-377-0x0000000000000000-mapping.dmp

Download
memory/5584-379-0x0000000000000000-mapping.dmp

Download
memory/5584-381-0x0000000000000000-mapping.dmp

Download
memory/5584-383-0x0000000000000000-mapping.dmp

Download
memory/5584-385-0x0000000000000000-mapping.dmp

Download
memory/5584-387-0x0000000000000000-mapping.dmp

Download
memory/5584-389-0x0000000000000000-mapping.dmp

Download
memory/5584-391-0x0000000000000000-mapping.dmp

Download
memory/5584-393-0x0000000000000000-mapping.dmp

Download
memory/5584-395-0x0000000000000000-mapping.dmp

Download
memory/5584-397-0x0000000000000000-mapping.dmp

Download
memory/5584-399-0x0000000000000000-mapping.dmp

Download
memory/5584-401-0x0000000000000000-mapping.dmp

Download
memory/5584-403-0x0000000000000000-mapping.dmp

Download
memory/5584-405-0x0000000000000000-mapping.dmp

Download
memory/5584-407-0x0000000000000000-mapping.dmp

Download
memory/5584-409-0x0000000000000000-mapping.dmp

Download
memory/5584-411-0x0000000000000000-mapping.dmp

Download
memory/5584-413-0x0000000000000000-mapping.dmp

Download
memory/5584-415-0x0000000000000000-mapping.dmp

Download
memory/5584-417-0x0000000000000000-mapping.dmp

Download
memory/5584-419-0x0000000000000000-mapping.dmp

Download
memory/5584-421-0x0000000000000000-mapping.dmp

Download
memory/5584-423-0x0000000000000000-mapping.dmp

Download
memory/5584-425-0x0000000000000000-mapping.dmp

Download
memory/5584-427-0x0000000000000000-mapping.dmp

Download
memory/5584-429-0x0000000000000000-mapping.dmp

Download