Behavioral Report

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
1801s
max time network
1811s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 10:08

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

ou55sg33s_1.exe

Score

10^/10

asyncrat azorult betabot modiloader oski raccoon remcos 5e4db353b88c002ba6466c06437973619aad03b3 backdoor botnet discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

5e4db353b88c002ba6466c06437973619aad03b3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Extracted

Family

remcos

taenaia.ac.ug:6969

agentpapple.ac.ug:6969

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot

Contains code to disable Windows Defender ⋅ 10 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral31/memory/1548-121-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral31/memory/1548-122-0x000000000040616E-mapping.dmp	disable_win_def
behavioral31/memory/2520-142-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral31/memory/2520-143-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral31/files/0x000300000001abcb-161.dat	disable_win_def
behavioral31/files/0x000300000001abcb-160.dat	disable_win_def
behavioral31/memory/3700-533-0x000000000040616E-mapping.dmp	disable_win_def
behavioral31/memory/4176-553-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral31/files/0x000400000001abe7-643.dat	disable_win_def
behavioral31/files/0x000400000001abe7-642.dat	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings ⋅ 3 TTPs
evasion trojan

TTPs:

Modify Registry Modify Existing Service Disabling Security Tools

Modifies firewall policy service ⋅ 2 TTPs 8 IoCs

evasion

TTPs:

Modify Registry Modify Existing Service

Processes:

explorer.exea599quq1595ek_1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	a599quq1595ek_1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	a599quq1595ek_1.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	a599quq1595ek_1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	a599quq1595ek_1.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe

Modifies security service ⋅ 2 TTPs 1 IoCs
evasion

TTPs:

Modify Registry Modify Existing Service

Processes:

regedit.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\ImagePath regedit.exe
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass ⋅ 3 TTPs
evasion trojan

TTPs:

Bypass User Account Control Disabling Security Tools Modify Registry

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\ImagePath	regedit.exe

Async RAT payload ⋅ 3 IoCs

rat

Processes:

resource	yara_rule
behavioral31/memory/512-112-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral31/memory/512-113-0x000000000040C76E-mapping.dmp	asyncrat
behavioral31/memory/4972-516-0x000000000040C76E-mapping.dmp	asyncrat

ModiLoader First Stage ⋅ 2 IoCs

Processes:

resource	yara_rule
behavioral31/memory/3900-171-0x0000000002A60000-0x0000000002ABC000-memory.dmp	modiloader_stage1
behavioral31/memory/4476-534-0x00000000041C0000-0x000000000421C000-memory.dmp	modiloader_stage1

Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points ⋅ 1 TTPs
evasion

TTPs:

Inhibit System Recovery
Downloads MZ/PE file

Executes dropped EXE ⋅ 31 IoCs

Processes:

a599quq1595ek_1.exea599quq1595ek_1.exea7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exea7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exemc1wc5757.exeWxzzZNQHI3.execLK6vDADey.exeUrXJ4xouC3.exeZSZAUJV5RA.exeWxzzZNQHI3.exeUrXJ4xouC3.exeZSZAUJV5RA.exempmheacv.exeazchgftrq.exemc1wc5757.exemc1wc5757.exebEAuR4J6Mp.exeoGMCJJj985.exelbZoNDahtD.exer4smJnFUj3.exebEAuR4J6Mp.exelbZoNDahtD.exer4smJnFUj3.exeozchgftrq.exeazchgftrq.exeozchgftrq.exeynxywetm.exe

pid	process
3636	a599quq1595ek_1.exe
2604	a599quq1595ek_1.exe
1256	a7eo39ywgs5.exe
3784	FGbfttrev.exe
2192	FDvbcgfert.exe
3940	a7eo39ywgs5.exe
1892	FGbfttrev.exe
188	FDvbcgfert.exe
2936	mc1wc5757.exe
3192	WxzzZNQHI3.exe
3900	cLK6vDADey.exe
992	UrXJ4xouC3.exe
644	ZSZAUJV5RA.exe
512	WxzzZNQHI3.exe
1548	UrXJ4xouC3.exe
2520	ZSZAUJV5RA.exe
1236	mpmheacv.exe
1012	azchgftrq.exe
2764	mc1wc5757.exe
360	mc1wc5757.exe
4876	bEAuR4J6Mp.exe
4476	oGMCJJj985.exe
4532	lbZoNDahtD.exe
5084	r4smJnFUj3.exe
4972	bEAuR4J6Mp.exe
3700	lbZoNDahtD.exe
4176	r4smJnFUj3.exe
4956	ozchgftrq.exe
4208	azchgftrq.exe
4528	ozchgftrq.exe
2132	ynxywetm.exe

Sets file execution options in registry ⋅ 2 TTPs
persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry
Sets service image path in registry ⋅ 2 TTPs
persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry
Checks BIOS information in registry ⋅ 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Loads dropped DLL ⋅ 13 IoCs

Processes:

FDvbcgfert.exea7eo39ywgs5.exemc1wc5757.exeozchgftrq.exe

pid	process
188	FDvbcgfert.exe
188	FDvbcgfert.exe
188	FDvbcgfert.exe
3940	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
360	mc1wc5757.exe
4528	ozchgftrq.exe
4528	ozchgftrq.exe
4528	ozchgftrq.exe

Reads user/profile data of local email clients ⋅ 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Reads user/profile data of web browsers ⋅ 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

TTPs:

Data from Local System Credentials in Files

Windows security modification ⋅ 2 TTPs 3 IoCs

evasion trojan

TTPs:

Disabling Security Tools Modify Registry

Processes:

ZSZAUJV5RA.exer4smJnFUj3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ZSZAUJV5RA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ZSZAUJV5RA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	r4smJnFUj3.exe

Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
spyware

TTPs:

Data from Local System Credentials in Files

Adds Run key to start application ⋅ 2 TTPs 13 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

explorer.exemc1wc5757.execLK6vDADey.exeregedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\a599quq1595ek.exe\""	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	mc1wc5757.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\a599quq1595ek.exe\""	mc1wc5757.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\a599quq1595ek.exe\""	mc1wc5757.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zsle = "C:\\Users\\Admin\\AppData\\Local\\elsZ.url"	cLK6vDADey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\a599quq1595ek.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	mc1wc5757.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\a599quq1595ek.exe\""	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\a599quq1595ek.exe\""	regedit.exe

Checks for any installed AV software in registry ⋅ 1 TTPs 2 IoCs

TTPs:

Security Software Discovery

Processes:

a599quq1595ek_1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	a599quq1595ek_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService	a599quq1595ek_1.exe

Checks installed software on the system ⋅ 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

TTPs:

Query Registry

Checks whether UAC is enabled ⋅ 1 TTPs 4 IoCs

evasion trojan

TTPs:

System Information Discovery

Processes:

a599quq1595ek_1.exea7eo39ywgs5.exemc1wc5757.exeou55sg33s_1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a599quq1595ek_1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a7eo39ywgs5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mc1wc5757.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ou55sg33s_1.exe

Drops desktop.ini file(s) ⋅ 3 IoCs

Processes:

explorer.exea7eo39ywgs5.exemc1wc5757.exe

description	ioc	process
File opened for modification	C:\ProgramData\Google Updater 5.0\desktop.ini	explorer.exe
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	a7eo39ywgs5.exe
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	mc1wc5757.exe

Maps connected drives based on registry ⋅ 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

TTPs:

Query Registry Peripheral Device Discovery System Information Discovery

Processes:

mc1wc5757.exea7eo39ywgs5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	mc1wc5757.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	a7eo39ywgs5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	a7eo39ywgs5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	mc1wc5757.exe

Suspicious use of NtSetInformationThreadHideFromDebugger ⋅ 27 IoCs

Processes:

ou55sg33s_1.exeexplorer.exea599quq1595ek_1.exea7eo39ywgs5.exea7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exemc1wc5757.exe

pid	process
4004	ou55sg33s_1.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
2604	a599quq1595ek_1.exe
1256	a7eo39ywgs5.exe
1256	a7eo39ywgs5.exe
1256	a7eo39ywgs5.exe
1256	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
1892	FGbfttrev.exe
1892	FGbfttrev.exe
188	FDvbcgfert.exe
188	FDvbcgfert.exe
2936	mc1wc5757.exe
2936	mc1wc5757.exe
2936	mc1wc5757.exe
2936	mc1wc5757.exe

Suspicious use of SetThreadContext ⋅ 15 IoCs

Processes:

ou55sg33s_1.exea599quq1595ek_1.exea7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exeWxzzZNQHI3.exeUrXJ4xouC3.exeZSZAUJV5RA.exemc1wc5757.exebEAuR4J6Mp.exelbZoNDahtD.exer4smJnFUj3.exeazchgftrq.execLK6vDADey.exeozchgftrq.exe

description	pid	process	target process
PID 1212 set thread context of 4004	1212	ou55sg33s_1.exe	ou55sg33s_1.exe
PID 3636 set thread context of 2604	3636	a599quq1595ek_1.exe	a599quq1595ek_1.exe
PID 1256 set thread context of 3940	1256	a7eo39ywgs5.exe	a7eo39ywgs5.exe
PID 3784 set thread context of 1892	3784	FGbfttrev.exe	FGbfttrev.exe
PID 2192 set thread context of 188	2192	FDvbcgfert.exe	FDvbcgfert.exe
PID 3192 set thread context of 512	3192	WxzzZNQHI3.exe	WxzzZNQHI3.exe
PID 992 set thread context of 1548	992	UrXJ4xouC3.exe	UrXJ4xouC3.exe
PID 644 set thread context of 2520	644	ZSZAUJV5RA.exe	ZSZAUJV5RA.exe
PID 2936 set thread context of 360	2936	mc1wc5757.exe	mc1wc5757.exe
PID 4876 set thread context of 4972	4876	bEAuR4J6Mp.exe	bEAuR4J6Mp.exe
PID 4532 set thread context of 3700	4532	lbZoNDahtD.exe	lbZoNDahtD.exe
PID 5084 set thread context of 4176	5084	r4smJnFUj3.exe	r4smJnFUj3.exe
PID 1012 set thread context of 4208	1012	azchgftrq.exe	azchgftrq.exe
PID 3900 set thread context of 1888	3900	cLK6vDADey.exe	ieinstal.exe
PID 4956 set thread context of 4528	4956	ozchgftrq.exe	ozchgftrq.exe

Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery

Checks processor information in registry ⋅ 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

a599quq1595ek_1.exeFDvbcgfert.exeozchgftrq.exeou55sg33s_1.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a599quq1595ek_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a599quq1595ek_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FDvbcgfert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ozchgftrq.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ou55sg33s_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ou55sg33s_1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Delays execution with timeout.exe ⋅ 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2324 timeout.exe
4856 timeout.exe

pid	process
2324	timeout.exe
4856	timeout.exe

Enumerates system info in registry ⋅ 2 TTPs 2 IoCs

TTPs:

Query Registry System Information Discovery

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Kills process with taskkill ⋅ 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1676 taskkill.exe
2244 taskkill.exe
5012 taskkill.exe
3108 taskkill.exe

pid	process
1676	taskkill.exe
2244	taskkill.exe
5012	taskkill.exe
3108	taskkill.exe

Modifies Internet Explorer Protected Mode ⋅ 1 TTPs 4 IoCs

TTPs:

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner ⋅ 1 TTPs 1 IoCs

TTPs:

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings ⋅ 1 TTPs 5 IoCs

adware spyware

TTPs:

Modify Registry

Processes:

explorer.exeregedit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0"	regedit.exe

Modifies registry key ⋅ 1 TTPs 3 IoCs

TTPs:

Modify Registry

Processes:

reg.exereg.exereg.exe

pid process

4520 reg.exe
1940 reg.exe
5000 reg.exe

pid	process
4520	reg.exe
1940	reg.exe
5000	reg.exe

Modifies system certificate store ⋅ 2 TTPs 2 IoCs

evasion spyware trojan

TTPs:

Install Root Certificate Modify Registry

Processes:

cLK6vDADey.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	cLK6vDADey.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cLK6vDADey.exe

NTFS ADS ⋅ 2 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\a599quq1595ek_1.exe:150EFC68	explorer.exe
File created	C:\Users\Admin\AppData\Local\Temp\a599quq1595ek_1.exe:150EFC68	explorer.exe

Runs regedit.exe ⋅ 1 IoCs

Processes:

regedit.exe

pid process

1224 regedit.exe

pid	process
1224	regedit.exe

Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs

Processes:

explorer.exeUrXJ4xouC3.exe

pid	process
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe

Suspicious behavior: MapViewOfSection ⋅ 9 IoCs

Processes:

ou55sg33s_1.exea599quq1595ek_1.exeexplorer.exea7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exe

pid	process
4004	ou55sg33s_1.exe
4004	ou55sg33s_1.exe
2604	a599quq1595ek_1.exe
2604	a599quq1595ek_1.exe
4084	explorer.exe
1256	a7eo39ywgs5.exe
3784	FGbfttrev.exe
2192	FDvbcgfert.exe
4084	explorer.exe

Suspicious behavior: RenamesItself ⋅ 1 IoCs

Processes:

ou55sg33s_1.exe

pid process

4004 ou55sg33s_1.exe

Suspicious use of AdjustPrivilegeToken ⋅ 64 IoCs

Processes:

ou55sg33s_1.exeexplorer.exea599quq1595ek_1.exeregedit.exetaskkill.exeWxzzZNQHI3.exeUrXJ4xouC3.exeUrXJ4xouC3.exe

description	pid	process
Token: SeDebugPrivilege	4004	ou55sg33s_1.exe
Token: SeRestorePrivilege	4004	ou55sg33s_1.exe
Token: SeBackupPrivilege	4004	ou55sg33s_1.exe
Token: SeLoadDriverPrivilege	4004	ou55sg33s_1.exe
Token: SeCreatePagefilePrivilege	4004	ou55sg33s_1.exe
Token: SeShutdownPrivilege	4004	ou55sg33s_1.exe
Token: SeTakeOwnershipPrivilege	4004	ou55sg33s_1.exe
Token: SeChangeNotifyPrivilege	4004	ou55sg33s_1.exe
Token: SeCreateTokenPrivilege	4004	ou55sg33s_1.exe
Token: SeMachineAccountPrivilege	4004	ou55sg33s_1.exe
Token: SeSecurityPrivilege	4004	ou55sg33s_1.exe
Token: SeAssignPrimaryTokenPrivilege	4004	ou55sg33s_1.exe
Token: SeCreateGlobalPrivilege	4004	ou55sg33s_1.exe
Token: 33	4004	ou55sg33s_1.exe
Token: SeDebugPrivilege	4084	explorer.exe
Token: SeRestorePrivilege	4084	explorer.exe
Token: SeBackupPrivilege	4084	explorer.exe
Token: SeLoadDriverPrivilege	4084	explorer.exe
Token: SeCreatePagefilePrivilege	4084	explorer.exe
Token: SeShutdownPrivilege	4084	explorer.exe
Token: SeTakeOwnershipPrivilege	4084	explorer.exe
Token: SeChangeNotifyPrivilege	4084	explorer.exe
Token: SeCreateTokenPrivilege	4084	explorer.exe
Token: SeMachineAccountPrivilege	4084	explorer.exe
Token: SeSecurityPrivilege	4084	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	4084	explorer.exe
Token: SeCreateGlobalPrivilege	4084	explorer.exe
Token: 33	4084	explorer.exe
Token: SeDebugPrivilege	2604	a599quq1595ek_1.exe
Token: SeRestorePrivilege	2604	a599quq1595ek_1.exe
Token: SeBackupPrivilege	2604	a599quq1595ek_1.exe
Token: SeLoadDriverPrivilege	2604	a599quq1595ek_1.exe
Token: SeCreatePagefilePrivilege	2604	a599quq1595ek_1.exe
Token: SeShutdownPrivilege	2604	a599quq1595ek_1.exe
Token: SeTakeOwnershipPrivilege	2604	a599quq1595ek_1.exe
Token: SeChangeNotifyPrivilege	2604	a599quq1595ek_1.exe
Token: SeCreateTokenPrivilege	2604	a599quq1595ek_1.exe
Token: SeMachineAccountPrivilege	2604	a599quq1595ek_1.exe
Token: SeSecurityPrivilege	2604	a599quq1595ek_1.exe
Token: SeAssignPrimaryTokenPrivilege	2604	a599quq1595ek_1.exe
Token: SeCreateGlobalPrivilege	2604	a599quq1595ek_1.exe
Token: 33	2604	a599quq1595ek_1.exe
Token: SeCreatePagefilePrivilege	2604	a599quq1595ek_1.exe
Token: SeCreatePagefilePrivilege	2604	a599quq1595ek_1.exe
Token: SeCreatePagefilePrivilege	2604	a599quq1595ek_1.exe
Token: SeCreatePagefilePrivilege	2604	a599quq1595ek_1.exe
Token: SeCreatePagefilePrivilege	2604	a599quq1595ek_1.exe
Token: SeDebugPrivilege	1224	regedit.exe
Token: SeRestorePrivilege	1224	regedit.exe
Token: SeBackupPrivilege	1224	regedit.exe
Token: SeLoadDriverPrivilege	1224	regedit.exe
Token: SeCreatePagefilePrivilege	1224	regedit.exe
Token: SeShutdownPrivilege	1224	regedit.exe
Token: SeTakeOwnershipPrivilege	1224	regedit.exe
Token: SeChangeNotifyPrivilege	1224	regedit.exe
Token: SeCreateTokenPrivilege	1224	regedit.exe
Token: SeMachineAccountPrivilege	1224	regedit.exe
Token: SeSecurityPrivilege	1224	regedit.exe
Token: SeAssignPrimaryTokenPrivilege	1224	regedit.exe
Token: SeCreateGlobalPrivilege	1224	regedit.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	3192	WxzzZNQHI3.exe
Token: SeDebugPrivilege	992	UrXJ4xouC3.exe
Token: SeDebugPrivilege	1548	UrXJ4xouC3.exe

Suspicious use of SetWindowsHookEx ⋅ 7 IoCs

Processes:

a7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exeUrXJ4xouC3.exelbZoNDahtD.exe

pid process

1256 a7eo39ywgs5.exe
3784 FGbfttrev.exe
2192 FDvbcgfert.exe
1548 UrXJ4xouC3.exe
1548 UrXJ4xouC3.exe
3700 lbZoNDahtD.exe
3700 lbZoNDahtD.exe

pid	process
1256	a7eo39ywgs5.exe
3784	FGbfttrev.exe
2192	FDvbcgfert.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
3700	lbZoNDahtD.exe
3700	lbZoNDahtD.exe

Suspicious use of WriteProcessMemory ⋅ 64 IoCs

Processes:

ou55sg33s_1.exeou55sg33s_1.exeexplorer.exea599quq1595ek_1.exea599quq1595ek_1.exea7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exeFDvbcgfert.execmd.exea7eo39ywgs5.exe

description	pid	process	target process
PID 1212 wrote to memory of 4004	1212	ou55sg33s_1.exe	ou55sg33s_1.exe
PID 1212 wrote to memory of 4004	1212	ou55sg33s_1.exe	ou55sg33s_1.exe
PID 1212 wrote to memory of 4004	1212	ou55sg33s_1.exe	ou55sg33s_1.exe
PID 1212 wrote to memory of 4004	1212	ou55sg33s_1.exe	ou55sg33s_1.exe
PID 1212 wrote to memory of 4004	1212	ou55sg33s_1.exe	ou55sg33s_1.exe
PID 4004 wrote to memory of 4084	4004	ou55sg33s_1.exe	explorer.exe
PID 4004 wrote to memory of 4084	4004	ou55sg33s_1.exe	explorer.exe
PID 4004 wrote to memory of 4084	4004	ou55sg33s_1.exe	explorer.exe
PID 4084 wrote to memory of 3636	4084	explorer.exe	a599quq1595ek_1.exe
PID 4084 wrote to memory of 3636	4084	explorer.exe	a599quq1595ek_1.exe
PID 4084 wrote to memory of 3636	4084	explorer.exe	a599quq1595ek_1.exe
PID 3636 wrote to memory of 2604	3636	a599quq1595ek_1.exe	a599quq1595ek_1.exe
PID 3636 wrote to memory of 2604	3636	a599quq1595ek_1.exe	a599quq1595ek_1.exe
PID 3636 wrote to memory of 2604	3636	a599quq1595ek_1.exe	a599quq1595ek_1.exe
PID 3636 wrote to memory of 2604	3636	a599quq1595ek_1.exe	a599quq1595ek_1.exe
PID 3636 wrote to memory of 2604	3636	a599quq1595ek_1.exe	a599quq1595ek_1.exe
PID 2604 wrote to memory of 1224	2604	a599quq1595ek_1.exe	regedit.exe
PID 2604 wrote to memory of 1224	2604	a599quq1595ek_1.exe	regedit.exe
PID 2604 wrote to memory of 1224	2604	a599quq1595ek_1.exe	regedit.exe
PID 4084 wrote to memory of 1256	4084	explorer.exe	a7eo39ywgs5.exe
PID 4084 wrote to memory of 1256	4084	explorer.exe	a7eo39ywgs5.exe
PID 4084 wrote to memory of 1256	4084	explorer.exe	a7eo39ywgs5.exe
PID 4084 wrote to memory of 1256	4084	explorer.exe	a7eo39ywgs5.exe
PID 4084 wrote to memory of 1256	4084	explorer.exe	a7eo39ywgs5.exe
PID 1256 wrote to memory of 3784	1256	a7eo39ywgs5.exe	FGbfttrev.exe
PID 1256 wrote to memory of 3784	1256	a7eo39ywgs5.exe	FGbfttrev.exe
PID 1256 wrote to memory of 3784	1256	a7eo39ywgs5.exe	FGbfttrev.exe
PID 1256 wrote to memory of 2192	1256	a7eo39ywgs5.exe	FDvbcgfert.exe
PID 1256 wrote to memory of 2192	1256	a7eo39ywgs5.exe	FDvbcgfert.exe
PID 1256 wrote to memory of 2192	1256	a7eo39ywgs5.exe	FDvbcgfert.exe
PID 1256 wrote to memory of 3940	1256	a7eo39ywgs5.exe	a7eo39ywgs5.exe
PID 1256 wrote to memory of 3940	1256	a7eo39ywgs5.exe	a7eo39ywgs5.exe
PID 1256 wrote to memory of 3940	1256	a7eo39ywgs5.exe	a7eo39ywgs5.exe
PID 1256 wrote to memory of 3940	1256	a7eo39ywgs5.exe	a7eo39ywgs5.exe
PID 3784 wrote to memory of 1892	3784	FGbfttrev.exe	FGbfttrev.exe
PID 3784 wrote to memory of 1892	3784	FGbfttrev.exe	FGbfttrev.exe
PID 3784 wrote to memory of 1892	3784	FGbfttrev.exe	FGbfttrev.exe
PID 3784 wrote to memory of 1892	3784	FGbfttrev.exe	FGbfttrev.exe
PID 2192 wrote to memory of 188	2192	FDvbcgfert.exe	FDvbcgfert.exe
PID 2192 wrote to memory of 188	2192	FDvbcgfert.exe	FDvbcgfert.exe
PID 2192 wrote to memory of 188	2192	FDvbcgfert.exe	FDvbcgfert.exe
PID 2192 wrote to memory of 188	2192	FDvbcgfert.exe	FDvbcgfert.exe
PID 188 wrote to memory of 936	188	FDvbcgfert.exe	cmd.exe
PID 188 wrote to memory of 936	188	FDvbcgfert.exe	cmd.exe
PID 188 wrote to memory of 936	188	FDvbcgfert.exe	cmd.exe
PID 936 wrote to memory of 1676	936	cmd.exe	taskkill.exe
PID 936 wrote to memory of 1676	936	cmd.exe	taskkill.exe
PID 936 wrote to memory of 1676	936	cmd.exe	taskkill.exe
PID 4084 wrote to memory of 2936	4084	explorer.exe	mc1wc5757.exe
PID 4084 wrote to memory of 2936	4084	explorer.exe	mc1wc5757.exe
PID 4084 wrote to memory of 2936	4084	explorer.exe	mc1wc5757.exe
PID 4084 wrote to memory of 2936	4084	explorer.exe	mc1wc5757.exe
PID 4084 wrote to memory of 2936	4084	explorer.exe	mc1wc5757.exe
PID 3940 wrote to memory of 3192	3940	a7eo39ywgs5.exe	WxzzZNQHI3.exe
PID 3940 wrote to memory of 3192	3940	a7eo39ywgs5.exe	WxzzZNQHI3.exe
PID 3940 wrote to memory of 3192	3940	a7eo39ywgs5.exe	WxzzZNQHI3.exe
PID 3940 wrote to memory of 3900	3940	a7eo39ywgs5.exe	cLK6vDADey.exe
PID 3940 wrote to memory of 3900	3940	a7eo39ywgs5.exe	cLK6vDADey.exe
PID 3940 wrote to memory of 3900	3940	a7eo39ywgs5.exe	cLK6vDADey.exe
PID 3940 wrote to memory of 992	3940	a7eo39ywgs5.exe	UrXJ4xouC3.exe
PID 3940 wrote to memory of 992	3940	a7eo39ywgs5.exe	UrXJ4xouC3.exe
PID 3940 wrote to memory of 992	3940	a7eo39ywgs5.exe	UrXJ4xouC3.exe
PID 3940 wrote to memory of 644	3940	a7eo39ywgs5.exe	ZSZAUJV5RA.exe
PID 3940 wrote to memory of 644	3940	a7eo39ywgs5.exe	ZSZAUJV5RA.exe

C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe

"C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe"

Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:1212

C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe

"C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe"

Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks processor information in registry
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:4004

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Modifies firewall policy service
Checks BIOS information in registry
Adds Run key to start application
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:4084

C:\Users\Admin\AppData\Local\Temp\a599quq1595ek_1.exe

/suac

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:3636

C:\Users\Admin\AppData\Local\Temp\a599quq1595ek_1.exe

"C:\Users\Admin\AppData\Local\Temp\a599quq1595ek_1.exe"

Modifies firewall policy service
Executes dropped EXE
Checks for any installed AV software in registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks processor information in registry
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:2604

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\SysWOW64\regedit.exe"

Modifies security service
Adds Run key to start application
Modifies Internet Explorer settings
Runs regedit.exe
Suspicious use of AdjustPrivilegeToken

PID:1224

C:\Users\Admin\AppData\Local\Temp\a7eo39ywgs5.exe

"C:\Users\Admin\AppData\Local\Temp\a7eo39ywgs5.exe"

Executes dropped EXE
Checks whether UAC is enabled
Maps connected drives based on registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1256

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:3784

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"

Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger

PID:1892

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:2192

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"

Executes dropped EXE
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks processor information in registry
Suspicious use of WriteProcessMemory

PID:188

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 188 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\628675879158083\\* & exit

Suspicious use of WriteProcessMemory

PID:936

C:\Windows\SysWOW64\taskkill.exe

taskkill /pid 188

Kills process with taskkill
Suspicious use of AdjustPrivilegeToken

PID:1676

C:\Users\Admin\AppData\Local\Temp\a7eo39ywgs5.exe

"C:\Users\Admin\AppData\Local\Temp\a7eo39ywgs5.exe"

Executes dropped EXE
Loads dropped DLL
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of WriteProcessMemory

PID:3940

C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe

"C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken

PID:3192

C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe

"C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe"

Executes dropped EXE

PID:512

C:\Users\Admin\AppData\Local\Temp\cLK6vDADey.exe

"C:\Users\Admin\AppData\Local\Temp\cLK6vDADey.exe"

Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Modifies system certificate store

PID:3900

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\System32\svchost.exe"

PID:4960

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ZvOXjtso.bat" "

PID:420

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

Modifies registry key

PID:4520

C:\Windows\SysWOW64\reg.exe

reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "

Modifies registry key

PID:1940

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

PID:4620

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

Modifies registry key

PID:5000

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ZvOXjtso.bat" "

PID:4132

C:\Program Files (x86)\internet explorer\ieinstal.exe

"C:\Program Files (x86)\internet explorer\ieinstal.exe"

PID:1888

C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe

"C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken

PID:992

C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe

"C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe"

Executes dropped EXE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx

PID:1548

\??\c:\windows\SysWOW64\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\ia3j3zrx.inf

PID:3444

C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe

"C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe"

Executes dropped EXE
Suspicious use of SetThreadContext

PID:644

C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe

"C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe"

Executes dropped EXE
Windows security modification

PID:2520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

PID:1464

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\a7eo39ywgs5.exe"

PID:3880

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

Delays execution with timeout.exe

PID:2324

C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe

"C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe"

Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

PID:2936

C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

"C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"

Executes dropped EXE
Suspicious use of SetThreadContext

PID:1012

C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

"C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"

Executes dropped EXE
Suspicious use of SetThreadContext

PID:4956

C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

"{path}"

Executes dropped EXE
Loads dropped DLL
Checks processor information in registry

PID:4528

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 4528 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\090407618315232\\* & exit

PID:4500

C:\Windows\SysWOW64\taskkill.exe

taskkill /pid 4528

Kills process with taskkill

PID:3108

C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

"{path}"

Executes dropped EXE

PID:4208

C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe

"{path}"

Executes dropped EXE

PID:2764

C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe

"{path}"

Executes dropped EXE
Loads dropped DLL
Drops desktop.ini file(s)

PID:360

C:\Users\Admin\AppData\Local\Temp\bEAuR4J6Mp.exe

"C:\Users\Admin\AppData\Local\Temp\bEAuR4J6Mp.exe"

Executes dropped EXE
Suspicious use of SetThreadContext

PID:4876

C:\Users\Admin\AppData\Local\Temp\bEAuR4J6Mp.exe

"C:\Users\Admin\AppData\Local\Temp\bEAuR4J6Mp.exe"

Executes dropped EXE

PID:4972

C:\Users\Admin\AppData\Local\Temp\oGMCJJj985.exe

"C:\Users\Admin\AppData\Local\Temp\oGMCJJj985.exe"

Executes dropped EXE

PID:4476

C:\Program Files (x86)\internet explorer\ieinstal.exe

"C:\Program Files (x86)\internet explorer\ieinstal.exe"

PID:4184

C:\Users\Admin\AppData\Local\Temp\lbZoNDahtD.exe

"C:\Users\Admin\AppData\Local\Temp\lbZoNDahtD.exe"

Executes dropped EXE
Suspicious use of SetThreadContext

PID:4532

C:\Users\Admin\AppData\Local\Temp\lbZoNDahtD.exe

"C:\Users\Admin\AppData\Local\Temp\lbZoNDahtD.exe"

Executes dropped EXE
Suspicious use of SetWindowsHookEx

PID:3700

\??\c:\windows\SysWOW64\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\gqmczy35.inf

PID:4656

C:\Users\Admin\AppData\Local\Temp\r4smJnFUj3.exe

"C:\Users\Admin\AppData\Local\Temp\r4smJnFUj3.exe"

Executes dropped EXE
Suspicious use of SetThreadContext

PID:5084

C:\Users\Admin\AppData\Local\Temp\r4smJnFUj3.exe

"C:\Users\Admin\AppData\Local\Temp\r4smJnFUj3.exe"

Executes dropped EXE
Windows security modification

PID:4176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

PID:4964

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe"

PID:4436

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

Delays execution with timeout.exe

PID:4856

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

PID:3888

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Windows\temp\mpmheacv.exe

PID:2316

C:\Windows\temp\mpmheacv.exe

C:\Windows\temp\mpmheacv.exe

Executes dropped EXE

PID:1236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

PID:3876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true

PID:400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true

PID:3400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true

PID:1340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true

PID:3660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true

PID:3236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force

PID:4148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6

PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0

PID:4348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6

PID:4472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6

PID:4548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true

PID:4688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2

PID:4784

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM cmstp.exe /F

Kills process with taskkill

PID:2244

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Windows\temp\ynxywetm.exe

PID:4364

C:\Windows\temp\ynxywetm.exe

C:\Windows\temp\ynxywetm.exe

Executes dropped EXE

PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

PID:4316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true

PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true

PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true

PID:3128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true

PID:500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true

PID:1144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force

PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6

PID:3428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0

PID:5028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6

PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6

PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true

PID:5224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2

PID:5344

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM cmstp.exe /F

Kills process with taskkill

PID:5012

Network

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Inhibit System Recovery

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Bypass User Account Control

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4

Download Submit
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

Download Submit
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UrXJ4xouC3.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WxzzZNQHI3.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZSZAUJV5RA.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bEAuR4J6Mp.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lbZoNDahtD.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r4smJnFUj3.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\A3FBG8XH.cookie

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a599quq1595ek_1.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a599quq1595ek_1.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a599quq1595ek_1.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7eo39ywgs5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7eo39ywgs5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7eo39ywgs5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEAuR4J6Mp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEAuR4J6Mp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEAuR4J6Mp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLK6vDADey.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLK6vDADey.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbZoNDahtD.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbZoNDahtD.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbZoNDahtD.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGMCJJj985.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGMCJJj985.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4smJnFUj3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4smJnFUj3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4smJnFUj3.exe

Download Submit
C:\Users\Public\ZvOXjtso.bat

Download Submit
C:\Windows\Temp\mpmheacv.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\Temp\ynxywetm.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\gqmczy35.inf

Download Submit
C:\Windows\temp\ia3j3zrx.inf

Download Submit
C:\Windows\temp\mpmheacv.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\ynxywetm.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\nss3.dll

Download Submit
\ProgramData\nss3.dll

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/188-45-0x0000000000417A8B-mapping.dmp

Download
memory/188-44-0x0000000000400000-0x0000000000438000-memory.dmp

Download
memory/188-47-0x0000000000400000-0x0000000000438000-memory.dmp

Download
memory/360-311-0x000000000043FA56-mapping.dmp

Download
memory/360-309-0x0000000000400000-0x0000000000493000-memory.dmp

Download
memory/360-314-0x0000000000400000-0x0000000000493000-memory.dmp

Download
memory/400-189-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/400-184-0x0000000000000000-mapping.dmp

Download
memory/420-633-0x0000000000000000-mapping.dmp

Download
memory/500-691-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/500-684-0x0000000000000000-mapping.dmp

Download
memory/512-112-0x0000000000400000-0x0000000000412000-memory.dmp

Download
memory/512-113-0x000000000040C76E-mapping.dmp

Download
memory/512-116-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/644-103-0x00000000000C0000-0x00000000000C1000-memory.dmp

Download
memory/644-100-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/644-95-0x0000000000000000-mapping.dmp

Download
memory/644-140-0x0000000004EC0000-0x0000000004EFC000-memory.dmp

Download
memory/936-56-0x0000000000000000-mapping.dmp

Download
memory/992-88-0x0000000000000000-mapping.dmp

Download
memory/992-119-0x00000000058B0000-0x00000000058ED000-memory.dmp

Download
memory/992-94-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Download
memory/992-92-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/1012-315-0x0000000000E20000-0x0000000000E21000-memory.dmp

Download
memory/1012-538-0x00000000089E0000-0x0000000008A27000-memory.dmp

Download
memory/1012-306-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/1012-302-0x0000000000000000-mapping.dmp

Download
memory/1144-688-0x0000000000000000-mapping.dmp

Download
memory/1144-693-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/1224-15-0x0000000000000000-mapping.dmp

Download
memory/1224-16-0x0000000000A60000-0x0000000000AF3000-memory.dmp

Download
memory/1224-19-0x0000000000A60000-0x0000000000AF3000-memory.dmp

Download
memory/1236-159-0x0000000000000000-mapping.dmp

Download
memory/1236-162-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/1236-158-0x0000000000000000-mapping.dmp

Download
memory/1236-163-0x0000000000C90000-0x0000000000C91000-memory.dmp

Download
memory/1256-21-0x0000000000000000-mapping.dmp

Download
memory/1340-193-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/1340-187-0x0000000000000000-mapping.dmp

Download
memory/1464-156-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Download
memory/1464-149-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/1464-155-0x0000000007D80000-0x0000000007D81000-memory.dmp

Download
memory/1464-183-0x00000000097D0000-0x00000000097D1000-memory.dmp

Download
memory/1464-185-0x0000000009990000-0x0000000009991000-memory.dmp

Download
memory/1464-175-0x0000000009690000-0x00000000096C3000-memory.dmp

Download
memory/1464-150-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Download
memory/1464-151-0x00000000076E0000-0x00000000076E1000-memory.dmp

Download
memory/1464-229-0x0000000008790000-0x0000000008791000-memory.dmp

Download
memory/1464-231-0x0000000007290000-0x0000000007291000-memory.dmp

Download
memory/1464-169-0x00000000086A0000-0x00000000086A1000-memory.dmp

Download
memory/1464-167-0x00000000082D0000-0x00000000082D1000-memory.dmp

Download
memory/1464-154-0x0000000007620000-0x0000000007621000-memory.dmp

Download
memory/1464-157-0x0000000007F80000-0x0000000007F81000-memory.dmp

Download
memory/1464-182-0x0000000009670000-0x0000000009671000-memory.dmp

Download
memory/1464-148-0x0000000000000000-mapping.dmp

Download
memory/1464-168-0x0000000008930000-0x0000000008931000-memory.dmp

Download
memory/1548-125-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/1548-121-0x0000000000400000-0x000000000040C000-memory.dmp

Download
memory/1548-122-0x000000000040616E-mapping.dmp

Download
memory/1676-57-0x0000000000000000-mapping.dmp

Download
memory/1888-628-0x0000000000400000-0x0000000000418000-memory.dmp

Download
memory/1888-626-0x000000000040DDD4-mapping.dmp

Download
memory/1888-623-0x0000000000400000-0x0000000000418000-memory.dmp

Download
memory/1892-41-0x000000000041A684-mapping.dmp

Download
memory/1892-40-0x0000000000400000-0x0000000000424000-memory.dmp

Download
memory/1892-43-0x0000000000400000-0x0000000000424000-memory.dmp

Download
memory/1940-664-0x0000000000000000-mapping.dmp

Download
memory/2132-639-0x0000000000000000-mapping.dmp

Download
memory/2132-640-0x0000000000000000-mapping.dmp

Download
memory/2132-644-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/2192-29-0x0000000000000000-mapping.dmp

Download
memory/2244-166-0x0000000000000000-mapping.dmp

Download
memory/2316-153-0x0000000000000000-mapping.dmp

Download
memory/2324-108-0x0000000000000000-mapping.dmp

Download
memory/2520-143-0x0000000000403BEE-mapping.dmp

Download
memory/2520-145-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/2520-142-0x0000000000400000-0x0000000000408000-memory.dmp

Download
memory/2604-18-0x00000000027C0000-0x00000000027CB000-memory.dmp

Download
memory/2604-12-0x00000000004015C6-mapping.dmp

Download
memory/2936-59-0x0000000000000000-mapping.dmp

Download
memory/2936-69-0x0000000008EE0000-0x0000000008EE1000-memory.dmp

Download
memory/2936-67-0x0000000005610000-0x0000000005611000-memory.dmp

Download
memory/2936-62-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/2936-64-0x00000000004E0000-0x00000000004E1000-memory.dmp

Download
memory/2936-66-0x0000000005A10000-0x0000000005A11000-memory.dmp

Download
memory/2936-68-0x00000000055E0000-0x00000000055E1000-memory.dmp

Download
memory/2936-76-0x0000000008AB0000-0x0000000008AC4000-memory.dmp

Download
memory/2936-276-0x0000000008D70000-0x0000000008E2A000-memory.dmp

Download
memory/2936-278-0x0000000009410000-0x0000000009411000-memory.dmp

Download
memory/3108-699-0x0000000000000000-mapping.dmp

Download
memory/3128-677-0x0000000000000000-mapping.dmp

Download
memory/3128-689-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/3192-111-0x0000000005450000-0x0000000005466000-memory.dmp

Download
memory/3192-110-0x0000000005080000-0x00000000050B9000-memory.dmp

Download
memory/3192-78-0x0000000000000000-mapping.dmp

Download
memory/3192-81-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/3192-84-0x0000000000610000-0x0000000000611000-memory.dmp

Download
memory/3236-192-0x0000000000000000-mapping.dmp

Download
memory/3236-197-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/3400-186-0x0000000000000000-mapping.dmp

Download
memory/3400-191-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/3428-700-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/3428-692-0x0000000000000000-mapping.dmp

Download
memory/3444-138-0x00000000049B0000-0x0000000004AB1000-memory.dmp

Download
memory/3444-130-0x0000000000000000-mapping.dmp

Download
memory/3636-8-0x0000000000000000-mapping.dmp

Download
memory/3660-190-0x0000000000000000-mapping.dmp

Download
memory/3660-195-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/3700-536-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/3700-533-0x000000000040616E-mapping.dmp

Download
memory/3784-26-0x0000000000000000-mapping.dmp

Download
memory/3876-170-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/3876-172-0x000002794C5C0000-0x000002794C5C1000-memory.dmp

Download
memory/3876-173-0x000002794C770000-0x000002794C771000-memory.dmp

Download
memory/3876-165-0x0000000000000000-mapping.dmp

Download
memory/3880-96-0x0000000000000000-mapping.dmp

Download
memory/3900-619-0x0000000050480000-0x000000005049A000-memory.dmp

Download
memory/3900-82-0x0000000000000000-mapping.dmp

Download
memory/3900-239-0x0000000004D10000-0x0000000004D61000-memory.dmp

Download
memory/3900-171-0x0000000002A60000-0x0000000002ABC000-memory.dmp

Download
memory/3940-39-0x0000000000400000-0x0000000000497000-memory.dmp

Download
memory/3940-33-0x0000000000400000-0x0000000000497000-memory.dmp

Download
memory/3940-36-0x000000000043FA56-mapping.dmp

Download
memory/4004-4-0x0000000002C40000-0x0000000003080000-memory.dmp

Download
memory/4004-0-0x0000000000400000-0x0000000000435000-memory.dmp

Download
memory/4004-2-0x0000000000400000-0x0000000000435000-memory.dmp

Download
memory/4004-1-0x00000000004015C6-mapping.dmp

Download
memory/4004-3-0x00000000027F0000-0x00000000028F2000-memory.dmp

Download
memory/4084-7-0x0000000001180000-0x00000000015C0000-memory.dmp

Download
memory/4084-20-0x0000000008120000-0x0000000008222000-memory.dmp

Download
memory/4084-6-0x0000000001180000-0x00000000015C0000-memory.dmp

Download
memory/4084-58-0x0000000008120000-0x0000000008222000-memory.dmp

Download
memory/4084-5-0x0000000000000000-mapping.dmp

Download
memory/4132-683-0x0000000000000000-mapping.dmp

Download
memory/4148-194-0x0000000000000000-mapping.dmp

Download
memory/4148-201-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/4176-553-0x0000000000403BEE-mapping.dmp

Download
memory/4176-555-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/4208-579-0x0000000000400000-0x0000000000420000-memory.dmp

Download
memory/4208-581-0x000000000041A684-mapping.dmp

Download
memory/4208-583-0x0000000000400000-0x0000000000420000-memory.dmp

Download
memory/4240-203-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/4240-196-0x0000000000000000-mapping.dmp

Download
memory/4268-696-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/4268-690-0x0000000000000000-mapping.dmp

Download
memory/4316-649-0x0000000000000000-mapping.dmp

Download
memory/4316-651-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/4348-207-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/4348-199-0x0000000000000000-mapping.dmp

Download
memory/4364-609-0x0000000000000000-mapping.dmp

Download
memory/4436-449-0x0000000000000000-mapping.dmp

Download
memory/4472-211-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/4472-202-0x0000000000000000-mapping.dmp

Download
memory/4476-534-0x00000000041C0000-0x000000000421C000-memory.dmp

Download
memory/4476-624-0x0000000004BB0000-0x0000000004C01000-memory.dmp

Download
memory/4476-424-0x0000000000000000-mapping.dmp

Download
memory/4500-670-0x0000000000000000-mapping.dmp

Download
memory/4520-655-0x0000000000000000-mapping.dmp

Download
memory/4528-636-0x0000000000417A8B-mapping.dmp

Download
memory/4528-635-0x0000000000400000-0x0000000000434000-memory.dmp

Download
memory/4528-638-0x0000000000400000-0x0000000000434000-memory.dmp

Download
memory/4532-437-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/4532-432-0x0000000000000000-mapping.dmp

Download
memory/4548-213-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/4548-205-0x0000000000000000-mapping.dmp

Download
memory/4608-697-0x0000000000000000-mapping.dmp

Download
memory/4608-706-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/4620-665-0x0000000000000000-mapping.dmp

Download
memory/4656-560-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Download
memory/4656-566-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Download
memory/4656-551-0x0000000000000000-mapping.dmp

Download
memory/4688-209-0x0000000000000000-mapping.dmp

Download
memory/4688-216-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/4784-212-0x0000000000000000-mapping.dmp

Download
memory/4784-217-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/4808-685-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/4808-672-0x0000000000000000-mapping.dmp

Download
memory/4856-483-0x0000000000000000-mapping.dmp

Download
memory/4876-408-0x0000000000000000-mapping.dmp

Download
memory/4876-413-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/4916-681-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/4916-667-0x0000000000000000-mapping.dmp

Download
memory/4956-632-0x0000000008BD0000-0x0000000008C29000-memory.dmp

Download
memory/4956-574-0x0000000000000000-mapping.dmp

Download
memory/4956-588-0x0000000000890000-0x0000000000891000-memory.dmp

Download
memory/4956-578-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/4960-343-0x0000000000000000-mapping.dmp

Download
memory/4960-393-0x0000000000000000-mapping.dmp

Download
memory/4960-489-0x0000000000000000-mapping.dmp

Download
memory/4960-491-0x0000000000000000-mapping.dmp

Download
memory/4960-493-0x0000000000000000-mapping.dmp

Download
memory/4960-495-0x0000000000000000-mapping.dmp

Download
memory/4960-501-0x0000000000000000-mapping.dmp

Download
memory/4960-499-0x0000000000000000-mapping.dmp

Download
memory/4960-503-0x0000000000000000-mapping.dmp

Download
memory/4960-497-0x0000000000000000-mapping.dmp

Download
memory/4960-505-0x0000000000000000-mapping.dmp

Download
memory/4960-508-0x0000000000000000-mapping.dmp

Download
memory/4960-510-0x0000000000000000-mapping.dmp

Download
memory/4960-513-0x0000000000000000-mapping.dmp

Download
memory/4960-517-0x0000000000000000-mapping.dmp

Download
memory/4960-485-0x0000000000000000-mapping.dmp

Download
memory/4960-521-0x0000000000000000-mapping.dmp

Download
memory/4960-526-0x0000000000000000-mapping.dmp

Download
memory/4960-529-0x0000000000000000-mapping.dmp

Download
memory/4960-532-0x0000000000000000-mapping.dmp

Download
memory/4960-482-0x0000000000000000-mapping.dmp

Download
memory/4960-480-0x0000000000000000-mapping.dmp

Download
memory/4960-478-0x0000000000000000-mapping.dmp

Download
memory/4960-476-0x0000000000000000-mapping.dmp

Download
memory/4960-540-0x0000000000000000-mapping.dmp

Download
memory/4960-474-0x0000000000000000-mapping.dmp

Download
memory/4960-547-0x0000000000000000-mapping.dmp

Download
memory/4960-472-0x0000000000000000-mapping.dmp

Download
memory/4960-470-0x0000000000000000-mapping.dmp

Download
memory/4960-552-0x0000000000000000-mapping.dmp

Download
memory/4960-468-0x0000000000000000-mapping.dmp

Download
memory/4960-465-0x0000000000000000-mapping.dmp

Download
memory/4960-558-0x0000000000000000-mapping.dmp

Download
memory/4960-461-0x0000000000000000-mapping.dmp

Download
memory/4960-457-0x0000000000000000-mapping.dmp

Download
memory/4960-564-0x0000000000000000-mapping.dmp

Download
memory/4960-455-0x0000000000000000-mapping.dmp

Download
memory/4960-569-0x0000000000000000-mapping.dmp

Download
memory/4960-571-0x0000000000000000-mapping.dmp

Download
memory/4960-573-0x0000000000000000-mapping.dmp

Download
memory/4960-580-0x0000000000000000-mapping.dmp

Download
memory/4960-243-0x0000000000500000-0x0000000000501000-memory.dmp

Download
memory/4960-246-0x00000000005C0000-0x00000000005C1000-memory.dmp

Download
memory/4960-247-0x0000000000000000-mapping.dmp

Download
memory/4960-448-0x0000000000000000-mapping.dmp

Download
memory/4960-244-0x0000000000000000-mapping.dmp

Download
memory/4960-251-0x0000000000000000-mapping.dmp

Download
memory/4960-587-0x0000000000000000-mapping.dmp

Download
memory/4960-443-0x0000000000000000-mapping.dmp

Download
memory/4960-253-0x0000000000000000-mapping.dmp

Download
memory/4960-439-0x0000000000000000-mapping.dmp

Download
memory/4960-434-0x0000000000000000-mapping.dmp

Download
memory/4960-431-0x0000000000000000-mapping.dmp

Download
memory/4960-429-0x0000000000000000-mapping.dmp

Download
memory/4960-423-0x0000000000000000-mapping.dmp

Download
memory/4960-419-0x0000000000000000-mapping.dmp

Download
memory/4960-593-0x0000000000000000-mapping.dmp

Download
memory/4960-599-0x0000000000000000-mapping.dmp

Download
memory/4960-602-0x0000000000000000-mapping.dmp

Download
memory/4960-415-0x0000000000000000-mapping.dmp

Download
memory/4960-604-0x0000000000000000-mapping.dmp

Download
memory/4960-608-0x0000000000000000-mapping.dmp

Download
memory/4960-410-0x0000000000000000-mapping.dmp

Download
memory/4960-407-0x0000000000000000-mapping.dmp

Download
memory/4960-618-0x0000000000000000-mapping.dmp

Download
memory/4960-405-0x0000000000000000-mapping.dmp

Download
memory/4960-403-0x0000000000000000-mapping.dmp

Download
memory/4960-620-0x0000000006B10000-0x0000000006B11000-memory.dmp

Download
memory/4960-622-0x0000000000000000-mapping.dmp

Download
memory/4960-401-0x0000000000000000-mapping.dmp

Download
memory/4960-399-0x0000000000000000-mapping.dmp

Download
memory/4960-397-0x0000000000000000-mapping.dmp

Download
memory/4960-395-0x0000000000000000-mapping.dmp

Download
memory/4960-487-0x0000000000000000-mapping.dmp

Download
memory/4960-391-0x0000000000000000-mapping.dmp

Download
memory/4960-389-0x0000000000000000-mapping.dmp

Download
memory/4960-387-0x0000000000000000-mapping.dmp

Download
memory/4960-385-0x0000000000000000-mapping.dmp

Download
memory/4960-383-0x0000000000000000-mapping.dmp

Download
memory/4960-255-0x0000000000000000-mapping.dmp

Download
memory/4960-381-0x0000000000000000-mapping.dmp

Download
memory/4960-379-0x0000000000000000-mapping.dmp

Download
memory/4960-377-0x0000000000000000-mapping.dmp

Download
memory/4960-375-0x0000000000000000-mapping.dmp

Download
memory/4960-370-0x0000000000000000-mapping.dmp

Download
memory/4960-368-0x0000000000000000-mapping.dmp

Download
memory/4960-366-0x0000000000000000-mapping.dmp

Download
memory/4960-364-0x0000000000000000-mapping.dmp

Download
memory/4960-362-0x0000000000000000-mapping.dmp

Download
memory/4960-360-0x0000000000000000-mapping.dmp

Download
memory/4960-257-0x0000000000000000-mapping.dmp

Download
memory/4960-357-0x0000000000000000-mapping.dmp

Download
memory/4960-354-0x0000000000000000-mapping.dmp

Download
memory/4960-352-0x0000000000000000-mapping.dmp

Download
memory/4960-259-0x0000000000000000-mapping.dmp

Download
memory/4960-350-0x0000000000000000-mapping.dmp

Download
memory/4960-348-0x0000000000000000-mapping.dmp

Download
memory/4960-346-0x0000000000000000-mapping.dmp

Download
memory/4960-338-0x0000000000000000-mapping.dmp

Download
memory/4960-336-0x0000000000000000-mapping.dmp

Download
memory/4960-334-0x0000000000000000-mapping.dmp

Download
memory/4960-332-0x0000000000000000-mapping.dmp

Download
memory/4960-329-0x0000000000000000-mapping.dmp

Download
memory/4960-326-0x0000000000000000-mapping.dmp

Download
memory/4960-324-0x0000000000000000-mapping.dmp

Download
memory/4960-319-0x0000000000000000-mapping.dmp

Download
memory/4960-312-0x0000000000000000-mapping.dmp

Download
memory/4960-307-0x0000000000000000-mapping.dmp

Download
memory/4960-301-0x0000000000000000-mapping.dmp

Download
memory/4960-299-0x0000000000000000-mapping.dmp

Download
memory/4960-297-0x0000000000000000-mapping.dmp

Download
memory/4960-295-0x0000000000000000-mapping.dmp

Download
memory/4960-261-0x0000000000000000-mapping.dmp

Download
memory/4960-293-0x0000000000000000-mapping.dmp

Download
memory/4960-291-0x0000000000000000-mapping.dmp

Download
memory/4960-288-0x0000000000000000-mapping.dmp

Download
memory/4960-285-0x0000000000000000-mapping.dmp

Download
memory/4960-283-0x0000000000000000-mapping.dmp

Download
memory/4960-263-0x0000000000000000-mapping.dmp

Download
memory/4960-281-0x0000000000000000-mapping.dmp

Download
memory/4960-279-0x0000000000000000-mapping.dmp

Download
memory/4960-275-0x0000000000000000-mapping.dmp

Download
memory/4960-265-0x0000000000000000-mapping.dmp

Download
memory/4960-273-0x0000000000000000-mapping.dmp

Download
memory/4960-267-0x0000000000000000-mapping.dmp

Download
memory/4960-269-0x0000000000000000-mapping.dmp

Download
memory/4960-271-0x0000000000000000-mapping.dmp

Download
memory/4964-648-0x0000000009290000-0x0000000009291000-memory.dmp

Download
memory/4964-565-0x0000000000000000-mapping.dmp

Download
memory/4964-585-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/4964-631-0x0000000008C60000-0x0000000008C61000-memory.dmp

Download
memory/4972-516-0x000000000040C76E-mapping.dmp

Download
memory/4972-519-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/4992-710-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/4992-701-0x0000000000000000-mapping.dmp

Download
memory/5000-687-0x0000000000000000-mapping.dmp

Download
memory/5012-650-0x0000000000000000-mapping.dmp

Download
memory/5028-694-0x0000000000000000-mapping.dmp

Download
memory/5028-702-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/5084-447-0x0000000000000000-mapping.dmp

Download
memory/5084-453-0x0000000071400000-0x0000000071AEE000-memory.dmp

Download
memory/5224-704-0x0000000000000000-mapping.dmp

Download
memory/5224-712-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download
memory/5344-707-0x0000000000000000-mapping.dmp

Download
memory/5344-714-0x00007FFC45280000-0x00007FFC45C6C000-memory.dmp

Download