formbook | 069edc860955f7f56fe2c18cfd9d46e26b95831325541ab3cc92bba11f30fa3b

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CONTRACTS DOCUMENTS.exe
Size

215KB
MD5

b5a64ee18bd52e91671491580ae349da
SHA1

0a5ec3756c34db4a9eb9a1e54a0867f9c98c6f3d
SHA256

380b98b82eca0b9f9ea4a86ea9ee60c579bc68d75a75db5d800074a8c50a0a52
SHA512

9fc1a1faed034a8e1247e1b6daeb83bbcc4f58ce3aadd5df21213837de5d3252c8801aeb7031be6c73fa00cc23ef85d218b724b0da3d9f6cbcd7dd3eaec9c6f9

Score

10^/10

formbook nfl rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

nfl

Decoy

giacamp.net

qb51.party

mashalevine.com

russiasexdating.com

jitangyy.com

morockin.com

karoreiss.com

tractionhero.today

bienvenueenprovence.net

stormharbour.info

61999h.com

tryandcert.com

bestwaytosuccess.com

laobaochang.com

otomatiktente.com

rehpb.info

ivpdqb.info

dc-wv-wv-ie-q.com

goingmagic.com

cimachain.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 13 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3468-135-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/3480-141-0x0000000000700000-0x000000000072A000-memory.dmp	formbook
behavioral2/memory/2328-145-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/3836-153-0x0000000000BA0000-0x0000000000BCA000-memory.dmp	formbook
behavioral2/memory/5028-164-0x0000000001230000-0x000000000125A000-memory.dmp	formbook
behavioral2/memory/2316-173-0x0000000000890000-0x00000000008BA000-memory.dmp	formbook
behavioral2/memory/3336-182-0x00000000012F0000-0x000000000131A000-memory.dmp	formbook
behavioral2/memory/1824-191-0x0000000000CE0000-0x0000000000D0A000-memory.dmp	formbook
behavioral2/memory/4700-195-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/4236-201-0x0000000000620000-0x000000000064A000-memory.dmp	formbook
behavioral2/memory/2884-205-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/1168-211-0x0000000000800000-0x000000000082A000-memory.dmp	formbook
behavioral2/memory/3284-220-0x0000000000EC0000-0x0000000000EEA000-memory.dmp	formbook

Checks computer location settings 2 TTPs 26 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	CONTRACTS DOCUMENTS.exe

Drops startup file 2 IoCs

Processes:

CONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	CONTRACTS DOCUMENTS.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	CONTRACTS DOCUMENTS.exe

Suspicious use of SetThreadContext 57 IoCs

Processes:

CONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exewscript.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exe

description	pid	process	target process
PID 4260 set thread context of 3468	4260	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 3468 set thread context of 2628	3468	RegAsm.exe	Explorer.EXE
PID 5008 set thread context of 2328	5008	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2328 set thread context of 2628	2328	RegAsm.exe	Explorer.EXE
PID 3480 set thread context of 2628	3480	wscript.exe	Explorer.EXE
PID 1456 set thread context of 2668	1456	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2668 set thread context of 2628	2668	RegAsm.exe	Explorer.EXE
PID 4252 set thread context of 2272	4252	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2272 set thread context of 2628	2272	RegAsm.exe	Explorer.EXE
PID 2872 set thread context of 1104	2872	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1104 set thread context of 2628	1104	RegAsm.exe	Explorer.EXE
PID 732 set thread context of 3900	732	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 3900 set thread context of 2628	3900	RegAsm.exe	Explorer.EXE
PID 1956 set thread context of 4700	1956	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4700 set thread context of 2628	4700	RegAsm.exe	Explorer.EXE
PID 3660 set thread context of 2884	3660	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2884 set thread context of 2628	2884	RegAsm.exe	Explorer.EXE
PID 2320 set thread context of 4332	2320	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4332 set thread context of 2628	4332	RegAsm.exe	Explorer.EXE
PID 2592 set thread context of 4052	2592	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4052 set thread context of 2628	4052	RegAsm.exe	Explorer.EXE
PID 1032 set thread context of 716	1032	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 716 set thread context of 2628	716	RegAsm.exe	Explorer.EXE
PID 1212 set thread context of 4904	1212	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4904 set thread context of 2628	4904	RegAsm.exe	Explorer.EXE
PID 1396 set thread context of 2244	1396	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2244 set thread context of 2628	2244	RegAsm.exe	Explorer.EXE
PID 372 set thread context of 4480	372	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4480 set thread context of 2628	4480	RegAsm.exe	Explorer.EXE
PID 1464 set thread context of 3856	1464	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 3856 set thread context of 2628	3856	RegAsm.exe	Explorer.EXE
PID 2308 set thread context of 3548	2308	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 3548 set thread context of 2628	3548	RegAsm.exe	Explorer.EXE
PID 4320 set thread context of 2868	4320	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2868 set thread context of 2628	2868	RegAsm.exe	Explorer.EXE
PID 3548 set thread context of 2628	3548	RegAsm.exe	Explorer.EXE
PID 3848 set thread context of 4540	3848	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4540 set thread context of 2628	4540	RegAsm.exe	Explorer.EXE
PID 2756 set thread context of 2204	2756	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2204 set thread context of 2628	2204	RegAsm.exe	Explorer.EXE
PID 4540 set thread context of 2628	4540	RegAsm.exe	Explorer.EXE
PID 4816 set thread context of 1524	4816	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1524 set thread context of 2628	1524	RegAsm.exe	Explorer.EXE
PID 2204 set thread context of 2628	2204	RegAsm.exe	Explorer.EXE
PID 1956 set thread context of 4560	1956	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4560 set thread context of 2628	4560	RegAsm.exe	Explorer.EXE
PID 1160 set thread context of 768	1160	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 768 set thread context of 2628	768	RegAsm.exe	Explorer.EXE
PID 4100 set thread context of 2380	4100	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2380 set thread context of 2628	2380	RegAsm.exe	Explorer.EXE
PID 3880 set thread context of 2284	3880	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2284 set thread context of 2628	2284	RegAsm.exe	Explorer.EXE
PID 2380 set thread context of 2628	2380	RegAsm.exe	Explorer.EXE
PID 4092 set thread context of 2012	4092	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2012 set thread context of 2628	2012	RegAsm.exe	Explorer.EXE
PID 4260 set thread context of 5112	4260	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 5112 set thread context of 2628	5112	RegAsm.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXE

pid process

3336 ipconfig.exe
1660 NETSTAT.EXE
1456 NETSTAT.EXE
4576 NETSTAT.EXE

pid	process
3336	ipconfig.exe
1660	NETSTAT.EXE
1456	NETSTAT.EXE
4576	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CONTRACTS DOCUMENTS.exe

pid	process
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe
4260	CONTRACTS DOCUMENTS.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2628 Explorer.EXE

pid	process
2628	Explorer.EXE

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

CONTRACTS DOCUMENTS.exeRegAsm.exewscript.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exe

pid	process
4260	CONTRACTS DOCUMENTS.exe
3468	RegAsm.exe
3468	RegAsm.exe
3468	RegAsm.exe
3480	wscript.exe
5008	CONTRACTS DOCUMENTS.exe
2328	RegAsm.exe
2328	RegAsm.exe
2328	RegAsm.exe
3480	wscript.exe
1456	CONTRACTS DOCUMENTS.exe
2668	RegAsm.exe
2668	RegAsm.exe
2668	RegAsm.exe
4252	CONTRACTS DOCUMENTS.exe
2272	RegAsm.exe
2272	RegAsm.exe
2272	RegAsm.exe
2872	CONTRACTS DOCUMENTS.exe
1104	RegAsm.exe
1104	RegAsm.exe
1104	RegAsm.exe
732	CONTRACTS DOCUMENTS.exe
732	CONTRACTS DOCUMENTS.exe
732	CONTRACTS DOCUMENTS.exe
732	CONTRACTS DOCUMENTS.exe
3900	RegAsm.exe
3900	RegAsm.exe
3900	RegAsm.exe
1956	CONTRACTS DOCUMENTS.exe
1956	CONTRACTS DOCUMENTS.exe
4700	RegAsm.exe
4700	RegAsm.exe
4700	RegAsm.exe
3660	CONTRACTS DOCUMENTS.exe
2884	RegAsm.exe
2884	RegAsm.exe
2884	RegAsm.exe
2320	CONTRACTS DOCUMENTS.exe
4332	RegAsm.exe
4332	RegAsm.exe
4332	RegAsm.exe
2592	CONTRACTS DOCUMENTS.exe
2592	CONTRACTS DOCUMENTS.exe
4052	RegAsm.exe
4052	RegAsm.exe
4052	RegAsm.exe
1032	CONTRACTS DOCUMENTS.exe
1032	CONTRACTS DOCUMENTS.exe
1032	CONTRACTS DOCUMENTS.exe
716	RegAsm.exe
716	RegAsm.exe
716	RegAsm.exe
1212	CONTRACTS DOCUMENTS.exe
4904	RegAsm.exe
4904	RegAsm.exe
4904	RegAsm.exe
1396	CONTRACTS DOCUMENTS.exe
2244	RegAsm.exe
2244	RegAsm.exe
2244	RegAsm.exe
372	CONTRACTS DOCUMENTS.exe
4480	RegAsm.exe
4480	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

CONTRACTS DOCUMENTS.exeRegAsm.exewscript.exeCONTRACTS DOCUMENTS.exeRegAsm.exesvchost.exeCONTRACTS DOCUMENTS.exeRegAsm.exesystray.exeCONTRACTS DOCUMENTS.exeRegAsm.execolorcpl.exeCONTRACTS DOCUMENTS.exeRegAsm.exeipconfig.exeCONTRACTS DOCUMENTS.exeRegAsm.exeexplorer.exeCONTRACTS DOCUMENTS.exeRegAsm.exerundll32.exeCONTRACTS DOCUMENTS.exeRegAsm.exewscript.exeCONTRACTS DOCUMENTS.exeRegAsm.exesvchost.exeCONTRACTS DOCUMENTS.exeRegAsm.exeNETSTAT.EXECONTRACTS DOCUMENTS.exeRegAsm.execmd.exeCONTRACTS DOCUMENTS.exeRegAsm.execscript.exeCONTRACTS DOCUMENTS.exeRegAsm.exehelp.exeCONTRACTS DOCUMENTS.exeRegAsm.execmd.exeCONTRACTS DOCUMENTS.exeRegAsm.exeNETSTAT.EXECONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeWWAHost.exesystray.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeNETSTAT.EXECONTRACTS DOCUMENTS.exeRegAsm.exesvchost.exemsiexec.exeCONTRACTS DOCUMENTS.exeRegAsm.exemsiexec.exeCONTRACTS DOCUMENTS.exe

description	pid	process
Token: SeDebugPrivilege	4260	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	3468	RegAsm.exe
Token: SeDebugPrivilege	3480	wscript.exe
Token: SeDebugPrivilege	5008	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	2328	RegAsm.exe
Token: SeDebugPrivilege	3836	svchost.exe
Token: SeDebugPrivilege	1456	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	2668	RegAsm.exe
Token: SeDebugPrivilege	5028	systray.exe
Token: SeDebugPrivilege	4252	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	2272	RegAsm.exe
Token: SeDebugPrivilege	2316	colorcpl.exe
Token: SeDebugPrivilege	2872	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1104	RegAsm.exe
Token: SeDebugPrivilege	3336	ipconfig.exe
Token: SeDebugPrivilege	732	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	3900	RegAsm.exe
Token: SeDebugPrivilege	1824	explorer.exe
Token: SeDebugPrivilege	1956	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	4700	RegAsm.exe
Token: SeDebugPrivilege	4236	rundll32.exe
Token: SeDebugPrivilege	3660	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	2884	RegAsm.exe
Token: SeDebugPrivilege	1168	wscript.exe
Token: SeDebugPrivilege	2320	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	4332	RegAsm.exe
Token: SeDebugPrivilege	3284	svchost.exe
Token: SeDebugPrivilege	2592	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	4052	RegAsm.exe
Token: SeDebugPrivilege	1660	NETSTAT.EXE
Token: SeDebugPrivilege	1032	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	716	RegAsm.exe
Token: SeDebugPrivilege	2312	cmd.exe
Token: SeDebugPrivilege	1212	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	4904	RegAsm.exe
Token: SeDebugPrivilege	984	cscript.exe
Token: SeDebugPrivilege	1396	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	2244	RegAsm.exe
Token: SeDebugPrivilege	1256	help.exe
Token: SeDebugPrivilege	372	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	4480	RegAsm.exe
Token: SeDebugPrivilege	3052	cmd.exe
Token: SeDebugPrivilege	1464	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	3856	RegAsm.exe
Token: SeDebugPrivilege	1456	NETSTAT.EXE
Token: SeDebugPrivilege	2308	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	3548	RegAsm.exe
Token: SeDebugPrivilege	4320	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	2868	RegAsm.exe
Token: SeDebugPrivilege	2480	WWAHost.exe
Token: SeDebugPrivilege	3224	systray.exe
Token: SeDebugPrivilege	3848	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	4540	RegAsm.exe
Token: SeDebugPrivilege	2756	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	2204	RegAsm.exe
Token: SeDebugPrivilege	4576	NETSTAT.EXE
Token: SeDebugPrivilege	4816	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1524	RegAsm.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	1952	msiexec.exe
Token: SeDebugPrivilege	1956	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	4560	RegAsm.exe
Token: SeDebugPrivilege	2600	msiexec.exe
Token: SeDebugPrivilege	1160	CONTRACTS DOCUMENTS.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CONTRACTS DOCUMENTS.exeExplorer.EXEwscript.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exe

description	pid	process	target process
PID 4260 wrote to memory of 3468	4260	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4260 wrote to memory of 3468	4260	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4260 wrote to memory of 3468	4260	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4260 wrote to memory of 3468	4260	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4260 wrote to memory of 5008	4260	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 4260 wrote to memory of 5008	4260	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 4260 wrote to memory of 5008	4260	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 2628 wrote to memory of 3480	2628	Explorer.EXE	wscript.exe
PID 2628 wrote to memory of 3480	2628	Explorer.EXE	wscript.exe
PID 2628 wrote to memory of 3480	2628	Explorer.EXE	wscript.exe
PID 3480 wrote to memory of 1604	3480	wscript.exe	cmd.exe
PID 3480 wrote to memory of 1604	3480	wscript.exe	cmd.exe
PID 3480 wrote to memory of 1604	3480	wscript.exe	cmd.exe
PID 5008 wrote to memory of 2328	5008	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 5008 wrote to memory of 2328	5008	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 5008 wrote to memory of 2328	5008	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 5008 wrote to memory of 2328	5008	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 5008 wrote to memory of 1456	5008	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 5008 wrote to memory of 1456	5008	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 5008 wrote to memory of 1456	5008	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 2628 wrote to memory of 3836	2628	Explorer.EXE	svchost.exe
PID 2628 wrote to memory of 3836	2628	Explorer.EXE	svchost.exe
PID 2628 wrote to memory of 3836	2628	Explorer.EXE	svchost.exe
PID 1456 wrote to memory of 2668	1456	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1456 wrote to memory of 2668	1456	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1456 wrote to memory of 2668	1456	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1456 wrote to memory of 2668	1456	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2628 wrote to memory of 5028	2628	Explorer.EXE	systray.exe
PID 2628 wrote to memory of 5028	2628	Explorer.EXE	systray.exe
PID 2628 wrote to memory of 5028	2628	Explorer.EXE	systray.exe
PID 1456 wrote to memory of 4252	1456	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1456 wrote to memory of 4252	1456	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1456 wrote to memory of 4252	1456	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 4252 wrote to memory of 2272	4252	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4252 wrote to memory of 2272	4252	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4252 wrote to memory of 2272	4252	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4252 wrote to memory of 2272	4252	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 4252 wrote to memory of 2872	4252	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 4252 wrote to memory of 2872	4252	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 4252 wrote to memory of 2872	4252	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 2628 wrote to memory of 2316	2628	Explorer.EXE	colorcpl.exe
PID 2628 wrote to memory of 2316	2628	Explorer.EXE	colorcpl.exe
PID 2628 wrote to memory of 2316	2628	Explorer.EXE	colorcpl.exe
PID 2872 wrote to memory of 1104	2872	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2872 wrote to memory of 1104	2872	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2872 wrote to memory of 1104	2872	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2872 wrote to memory of 1104	2872	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2872 wrote to memory of 732	2872	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 2872 wrote to memory of 732	2872	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 2872 wrote to memory of 732	2872	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 2628 wrote to memory of 3336	2628	Explorer.EXE	ipconfig.exe
PID 2628 wrote to memory of 3336	2628	Explorer.EXE	ipconfig.exe
PID 2628 wrote to memory of 3336	2628	Explorer.EXE	ipconfig.exe
PID 732 wrote to memory of 3160	732	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 732 wrote to memory of 3160	732	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 732 wrote to memory of 3160	732	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 732 wrote to memory of 4684	732	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 732 wrote to memory of 4684	732	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 732 wrote to memory of 4684	732	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 732 wrote to memory of 3656	732	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 732 wrote to memory of 3656	732	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 732 wrote to memory of 3656	732	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 732 wrote to memory of 3900	732	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 732 wrote to memory of 3900	732	CONTRACTS DOCUMENTS.exe	RegAsm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
3⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
4⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
5⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
6⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
7⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:3160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:4684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:3656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
8⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
9⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
10⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
11⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
12⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:3376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
13⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
14⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
15⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
16⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:4664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
17⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
18⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
19⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
20⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
21⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
22⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
23⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious use of SetThreadContext
PID:768

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
24⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Suspicious use of SetThreadContext
PID:2380

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
25⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:3740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious use of SetThreadContext
PID:2284

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
26⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Suspicious use of SetThreadContext
PID:2012

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
27⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious use of SetThreadContext
PID:5112

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
28⤵
PID:3236

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1604

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3024

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2720

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1876

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4284

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3988

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:908

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4292

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1008

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4940

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2712

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2240

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4092

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3716

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4060

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1348

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4136

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3232

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2636

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4504

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4776

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:328

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2024

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3056

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:4492

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:1628

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2136

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1284

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3116

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:376

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:4780

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:1556

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:2084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
Filesize
216KB

MD5
3be793cc456c24741f474e0a7e9e9dda

SHA1
23f715eb3ea125162234fa5aedbe3e79a4287412

SHA256
b9a289e4b32a9d4592cf63aad42628937ce83fb51be4742f1fd8c1ddf747b389

SHA512
34a02e675d57ca4e0d1b32cc68ac99bca9858fad49611e6103077977b04afb91d8b0f6daf8bd104b3ea8fae7a16b233deb76f96e9a0bfe0df76a8b8942844ce0

Download Submit
memory/372-251-0x0000000000000000-mapping.dmp

Download
memory/716-231-0x0000000000000000-mapping.dmp

Download
memory/732-176-0x0000000000000000-mapping.dmp

Download
memory/984-246-0x0000000000000000-mapping.dmp

Download
memory/1032-223-0x0000000000000000-mapping.dmp

Download
memory/1104-175-0x0000000000000000-mapping.dmp

Download
memory/1104-177-0x00000000031C0000-0x000000000350A000-memory.dmp

Filesize
3.3MB

Download
memory/1104-178-0x0000000001810000-0x0000000001824000-memory.dmp

Filesize
80KB

Download
memory/1160-331-0x0000000000000000-mapping.dmp

Download
memory/1168-210-0x0000000000AE0000-0x0000000000B07000-memory.dmp

Filesize
156KB

Download
memory/1168-209-0x0000000000000000-mapping.dmp

Download
memory/1168-212-0x00000000028A0000-0x0000000002BEA000-memory.dmp

Filesize
3.3MB

Download
memory/1168-211-0x0000000000800000-0x000000000082A000-memory.dmp

Filesize
168KB

Download
memory/1212-232-0x0000000000000000-mapping.dmp

Download
memory/1256-255-0x0000000000000000-mapping.dmp

Download
memory/1396-242-0x0000000000000000-mapping.dmp

Download
memory/1456-274-0x0000000000000000-mapping.dmp

Download
memory/1456-146-0x0000000000000000-mapping.dmp

Download
memory/1464-260-0x0000000000000000-mapping.dmp

Download
memory/1524-315-0x0000000000000000-mapping.dmp

Download
memory/1604-142-0x0000000000000000-mapping.dmp

Download
memory/1660-227-0x0000000000000000-mapping.dmp

Download
memory/1824-192-0x0000000003480000-0x00000000037CA000-memory.dmp

Filesize
3.3MB

Download
memory/1824-190-0x0000000000DF0000-0x0000000001223000-memory.dmp

Filesize
4.2MB

Download
memory/1824-191-0x0000000000CE0000-0x0000000000D0A000-memory.dmp

Filesize
168KB

Download
memory/1824-189-0x0000000000000000-mapping.dmp

Download
memory/1952-326-0x0000000000000000-mapping.dmp

Download
memory/1956-316-0x0000000000000000-mapping.dmp

Download
memory/1956-185-0x0000000000000000-mapping.dmp

Download
memory/2204-304-0x0000000000000000-mapping.dmp

Download
memory/2244-250-0x0000000000000000-mapping.dmp

Download
memory/2272-166-0x0000000000000000-mapping.dmp

Download
memory/2272-168-0x0000000002760000-0x0000000002AAA000-memory.dmp

Filesize
3.3MB

Download
memory/2272-169-0x00000000026B0000-0x00000000026C4000-memory.dmp

Filesize
80KB

Download
memory/2308-270-0x0000000000000000-mapping.dmp

Download
memory/2312-237-0x0000000000000000-mapping.dmp

Download
memory/2316-172-0x0000000000C30000-0x0000000000C49000-memory.dmp

Filesize
100KB

Download
memory/2316-174-0x0000000002850000-0x0000000002B9A000-memory.dmp

Filesize
3.3MB

Download
memory/2316-173-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/2316-171-0x0000000000000000-mapping.dmp

Download
memory/2320-204-0x0000000000000000-mapping.dmp

Download
memory/2328-144-0x0000000000000000-mapping.dmp

Download
memory/2328-149-0x00000000028E0000-0x00000000028F4000-memory.dmp

Filesize
80KB

Download
memory/2328-145-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2328-148-0x0000000002A50000-0x0000000002D9A000-memory.dmp

Filesize
3.3MB

Download
memory/2480-291-0x0000000000000000-mapping.dmp

Download
memory/2592-214-0x0000000000000000-mapping.dmp

Download
memory/2600-336-0x0000000000000000-mapping.dmp

Download
memory/2628-217-0x000000000B5D0000-0x000000000B777000-memory.dmp

Filesize
1.7MB

Download
memory/2628-198-0x00000000035A0000-0x0000000003662000-memory.dmp

Filesize
776KB

Download
memory/2628-150-0x00000000032E0000-0x0000000003393000-memory.dmp

Filesize
716KB

Download
memory/2628-179-0x0000000008F70000-0x00000000090F4000-memory.dmp

Filesize
1.5MB

Download
memory/2628-188-0x000000000B250000-0x000000000B3CF000-memory.dmp

Filesize
1.5MB

Download
memory/2628-156-0x00000000033A0000-0x000000000344F000-memory.dmp

Filesize
700KB

Download
memory/2628-170-0x0000000008810000-0x0000000008949000-memory.dmp

Filesize
1.2MB

Download
memory/2628-138-0x0000000002FD0000-0x00000000030AA000-memory.dmp

Filesize
872KB

Download
memory/2628-161-0x0000000008C90000-0x0000000008E27000-memory.dmp

Filesize
1.6MB

Download
memory/2628-208-0x000000000B3D0000-0x000000000B53F000-memory.dmp

Filesize
1.4MB

Download
memory/2668-160-0x0000000001360000-0x0000000001374000-memory.dmp

Filesize
80KB

Download
memory/2668-157-0x0000000000000000-mapping.dmp

Download
memory/2668-159-0x0000000002EC0000-0x000000000320A000-memory.dmp

Filesize
3.3MB

Download
memory/2756-300-0x0000000000000000-mapping.dmp

Download
memory/2868-283-0x0000000000000000-mapping.dmp

Download
memory/2872-167-0x0000000000000000-mapping.dmp

Download
memory/2884-203-0x0000000000000000-mapping.dmp

Download
memory/2884-206-0x0000000002FE0000-0x0000000002FF4000-memory.dmp

Filesize
80KB

Download
memory/2884-207-0x0000000003120000-0x000000000346A000-memory.dmp

Filesize
3.3MB

Download
memory/2884-205-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3052-265-0x0000000000000000-mapping.dmp

Download
memory/3120-322-0x0000000000000000-mapping.dmp

Download
memory/3224-294-0x0000000000000000-mapping.dmp

Download
memory/3284-218-0x0000000000000000-mapping.dmp

Download
memory/3284-219-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/3284-221-0x0000000001900000-0x0000000001C4A000-memory.dmp

Filesize
3.3MB

Download
memory/3284-220-0x0000000000EC0000-0x0000000000EEA000-memory.dmp

Filesize
168KB

Download
memory/3336-183-0x00000000019C0000-0x0000000001D0A000-memory.dmp

Filesize
3.3MB

Download
memory/3336-180-0x0000000000000000-mapping.dmp

Download
memory/3336-181-0x00000000006F0000-0x00000000006FB000-memory.dmp

Filesize
44KB

Download
memory/3336-182-0x00000000012F0000-0x000000000131A000-memory.dmp

Filesize
168KB

Download
memory/3468-132-0x0000000000000000-mapping.dmp

Download
memory/3468-135-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3468-136-0x00000000027E0000-0x0000000002B2A000-memory.dmp

Filesize
3.3MB

Download
memory/3468-137-0x0000000000A60000-0x0000000000A74000-memory.dmp

Filesize
80KB

Download
memory/3480-155-0x0000000002600000-0x0000000002693000-memory.dmp

Filesize
588KB

Download
memory/3480-143-0x0000000002860000-0x0000000002BAA000-memory.dmp

Filesize
3.3MB

Download
memory/3480-139-0x0000000000000000-mapping.dmp

Download
memory/3480-140-0x0000000000AE0000-0x0000000000B07000-memory.dmp

Filesize
156KB

Download
memory/3480-141-0x0000000000700000-0x000000000072A000-memory.dmp

Filesize
168KB

Download
memory/3548-278-0x0000000000000000-mapping.dmp

Download
memory/3660-194-0x0000000000000000-mapping.dmp

Download
memory/3836-154-0x0000000001800000-0x0000000001B4A000-memory.dmp

Filesize
3.3MB

Download
memory/3836-152-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/3836-153-0x0000000000BA0000-0x0000000000BCA000-memory.dmp

Filesize
168KB

Download
memory/3836-151-0x0000000000000000-mapping.dmp

Download
memory/3848-284-0x0000000000000000-mapping.dmp

Download
memory/3856-269-0x0000000000000000-mapping.dmp

Download
memory/3900-186-0x0000000002D30000-0x000000000307A000-memory.dmp

Filesize
3.3MB

Download
memory/3900-187-0x0000000002C90000-0x0000000002CA4000-memory.dmp

Filesize
80KB

Download
memory/3900-184-0x0000000000000000-mapping.dmp

Download
memory/4052-224-0x0000000002EF0000-0x000000000323A000-memory.dmp

Filesize
3.3MB

Download
memory/4052-222-0x0000000000000000-mapping.dmp

Download
memory/4236-200-0x0000000000ED0000-0x0000000000EE4000-memory.dmp

Filesize
80KB

Download
memory/4236-201-0x0000000000620000-0x000000000064A000-memory.dmp

Filesize
168KB

Download
memory/4236-202-0x0000000002670000-0x00000000029BA000-memory.dmp

Filesize
3.3MB

Download
memory/4236-199-0x0000000000000000-mapping.dmp

Download
memory/4252-158-0x0000000000000000-mapping.dmp

Download
memory/4260-134-0x00000000053B0000-0x00000000053B3000-memory.dmp

Filesize
12KB

Download
memory/4260-130-0x00000000004A0000-0x00000000004DC000-memory.dmp

Filesize
240KB

Download
memory/4260-131-0x0000000004DB0000-0x0000000004DB3000-memory.dmp

Filesize
12KB

Download
memory/4320-279-0x0000000000000000-mapping.dmp

Download
memory/4332-216-0x0000000000C90000-0x0000000000CA4000-memory.dmp

Filesize
80KB

Download
memory/4332-213-0x0000000000000000-mapping.dmp

Download
memory/4332-215-0x0000000002980000-0x0000000002CCA000-memory.dmp

Filesize
3.3MB

Download
memory/4480-259-0x0000000000000000-mapping.dmp

Download
memory/4540-299-0x0000000000000000-mapping.dmp

Download
memory/4560-330-0x0000000000000000-mapping.dmp

Download
memory/4576-311-0x0000000000000000-mapping.dmp

Download
memory/4700-193-0x0000000000000000-mapping.dmp

Download
memory/4700-197-0x00000000012F0000-0x0000000001304000-memory.dmp

Filesize
80KB

Download
memory/4700-196-0x0000000002E90000-0x00000000031DA000-memory.dmp

Filesize
3.3MB

Download
memory/4700-195-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4816-305-0x0000000000000000-mapping.dmp

Download
memory/4904-241-0x0000000000000000-mapping.dmp

Download
memory/5008-133-0x0000000000000000-mapping.dmp

Download
memory/5028-165-0x00000000032E0000-0x000000000362A000-memory.dmp

Filesize
3.3MB

Download
memory/5028-164-0x0000000001230000-0x000000000125A000-memory.dmp

Filesize
168KB

Download
memory/5028-163-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/5028-162-0x0000000000000000-mapping.dmp

Download