asyncrat | 60152e8f49b376387ea78e05be97894b52c0dc862a9906248b12a441e840ee2d

Analysis

max time kernel
120s
max time network
152s
platform
windows10_x64
resource
win10v200722
submitted
14-10-2020 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1282cbd3580662cf9e2b218b132006f6.exe
Size

1.1MB
MD5

1282cbd3580662cf9e2b218b132006f6
SHA1

678b1416dd2f1f748acc5c4619ebfaf4695946f1
SHA256

60152e8f49b376387ea78e05be97894b52c0dc862a9906248b12a441e840ee2d
SHA512

3e80fa05969f7733fe59136173601ae296253467c8aab4d24b33245e1a284b76ff9818f773bb5cc8c7f9d5a502bb178cea266b3d7404d31bf11d7b990d1f84f7

Score

10^/10

asyncrat azorult modiloader oski raccoon discovery evasion infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
s8CEqY6pD21gSg7xELYD1QWGg2YpwLUB
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/640-100-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral2/memory/640-102-0x000000000040616E-mapping.dmp	disable_win_def
behavioral2/memory/896-105-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral2/memory/896-107-0x0000000000403BEE-mapping.dmp	disable_win_def
C:\Windows\Temp\whksxpiq.exe	disable_win_def
C:\Windows\temp\whksxpiq.exe	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1592-86-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/1592-87-0x000000000040C75E-mapping.dmp	asyncrat

ModiLoader First Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2388-224-0x0000000002A60000-0x0000000002A9A000-memory.dmp	modiloader_stage1

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

Limo.exeLimo.exeLimo.exeLima.exeLima.exeLima.exeMvtL35uzbB.exebFIGqqCxXs.exeqN88aAgkuv.exefX2RZ0jnLG.exeMvtL35uzbB.exefX2RZ0jnLG.exefX2RZ0jnLG.exeqN88aAgkuv.exefX2RZ0jnLG.exewhksxpiq.exe

pid	process
3708	Limo.exe
3680	Limo.exe
1508	Limo.exe
2092	Lima.exe
2784	Lima.exe
3100	Lima.exe
1096	MvtL35uzbB.exe
2388	bFIGqqCxXs.exe
2232	qN88aAgkuv.exe
3212	fX2RZ0jnLG.exe
1592	MvtL35uzbB.exe
2688	fX2RZ0jnLG.exe
3916	fX2RZ0jnLG.exe
640	qN88aAgkuv.exe
896	fX2RZ0jnLG.exe
1976	whksxpiq.exe

Loads dropped DLL 9 IoCs

Processes:

Limo.exe1282cbd3580662cf9e2b218b132006f6.exe

pid	process
1508	Limo.exe
1508	Limo.exe
1508	Limo.exe
2584	1282cbd3580662cf9e2b218b132006f6.exe
2584	1282cbd3580662cf9e2b218b132006f6.exe
2584	1282cbd3580662cf9e2b218b132006f6.exe
2584	1282cbd3580662cf9e2b218b132006f6.exe
2584	1282cbd3580662cf9e2b218b132006f6.exe
2584	1282cbd3580662cf9e2b218b132006f6.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

fX2RZ0jnLG.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	fX2RZ0jnLG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	fX2RZ0jnLG.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

1282cbd3580662cf9e2b218b132006f6.exe

description ioc process

File created C:\Users\Admin\AppData\LocalLow\FLesFFxEsEs\desktop.ini 1282cbd3580662cf9e2b218b132006f6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\FLesFFxEsEs\desktop.ini	1282cbd3580662cf9e2b218b132006f6.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

1282cbd3580662cf9e2b218b132006f6.exeLimo.exeLima.exeMvtL35uzbB.exeqN88aAgkuv.exefX2RZ0jnLG.exe

description	pid	process	target process
PID 2064 set thread context of 2584	2064	1282cbd3580662cf9e2b218b132006f6.exe	1282cbd3580662cf9e2b218b132006f6.exe
PID 3708 set thread context of 1508	3708	Limo.exe	Limo.exe
PID 2092 set thread context of 3100	2092	Lima.exe	Lima.exe
PID 1096 set thread context of 1592	1096	MvtL35uzbB.exe	MvtL35uzbB.exe
PID 2232 set thread context of 640	2232	qN88aAgkuv.exe	qN88aAgkuv.exe
PID 3212 set thread context of 896	3212	fX2RZ0jnLG.exe	fX2RZ0jnLG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Limo.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Limo.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

736 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2676 taskkill.exe
1836 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Limo.exe

pid	process
736	timeout.exe

pid	process
2676	taskkill.exe
1836	taskkill.exe

Modifies registry class 2 IoCs

Processes:

1282cbd3580662cf9e2b218b132006f6.exeLimo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000_Classes\Local Settings	1282cbd3580662cf9e2b218b132006f6.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000_Classes\Local Settings	Limo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Limo.exeLima.exefX2RZ0jnLG.exePowershell.exeqN88aAgkuv.exe

pid	process
3708	Limo.exe
3708	Limo.exe
2092	Lima.exe
2092	Lima.exe
3212	fX2RZ0jnLG.exe
3212	fX2RZ0jnLG.exe
3212	fX2RZ0jnLG.exe
3212	fX2RZ0jnLG.exe
4048	Powershell.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

1282cbd3580662cf9e2b218b132006f6.exeLimo.exetaskkill.exeLima.exeMvtL35uzbB.exeqN88aAgkuv.exefX2RZ0jnLG.exePowershell.exeqN88aAgkuv.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2064	1282cbd3580662cf9e2b218b132006f6.exe
Token: SeDebugPrivilege	3708	Limo.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	2092	Lima.exe
Token: SeDebugPrivilege	1096	MvtL35uzbB.exe
Token: SeDebugPrivilege	2232	qN88aAgkuv.exe
Token: SeDebugPrivilege	3212	fX2RZ0jnLG.exe
Token: SeDebugPrivilege	4048	Powershell.exe
Token: SeDebugPrivilege	640	qN88aAgkuv.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeIncreaseQuotaPrivilege	2960	powershell.exe
Token: SeSecurityPrivilege	2960	powershell.exe
Token: SeTakeOwnershipPrivilege	2960	powershell.exe
Token: SeLoadDriverPrivilege	2960	powershell.exe
Token: SeSystemProfilePrivilege	2960	powershell.exe
Token: SeSystemtimePrivilege	2960	powershell.exe
Token: SeProfSingleProcessPrivilege	2960	powershell.exe
Token: SeIncBasePriorityPrivilege	2960	powershell.exe
Token: SeCreatePagefilePrivilege	2960	powershell.exe
Token: SeBackupPrivilege	2960	powershell.exe
Token: SeRestorePrivilege	2960	powershell.exe
Token: SeShutdownPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeSystemEnvironmentPrivilege	2960	powershell.exe
Token: SeRemoteShutdownPrivilege	2960	powershell.exe
Token: SeUndockPrivilege	2960	powershell.exe
Token: SeManageVolumePrivilege	2960	powershell.exe
Token: 33	2960	powershell.exe
Token: 34	2960	powershell.exe
Token: 35	2960	powershell.exe
Token: 36	2960	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

qN88aAgkuv.exe

pid process

640 qN88aAgkuv.exe
640 qN88aAgkuv.exe

pid	process
640	qN88aAgkuv.exe
640	qN88aAgkuv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1282cbd3580662cf9e2b218b132006f6.exeWScript.exeLimo.exeWScript.exeLimo.execmd.exeLima.exe1282cbd3580662cf9e2b218b132006f6.exe

description	pid	process	target process
PID 2064 wrote to memory of 2328	2064	1282cbd3580662cf9e2b218b132006f6.exe	WScript.exe
PID 2064 wrote to memory of 2328	2064	1282cbd3580662cf9e2b218b132006f6.exe	WScript.exe
PID 2064 wrote to memory of 2328	2064	1282cbd3580662cf9e2b218b132006f6.exe	WScript.exe
PID 2064 wrote to memory of 2584	2064	1282cbd3580662cf9e2b218b132006f6.exe	1282cbd3580662cf9e2b218b132006f6.exe
PID 2064 wrote to memory of 2584	2064	1282cbd3580662cf9e2b218b132006f6.exe	1282cbd3580662cf9e2b218b132006f6.exe
PID 2064 wrote to memory of 2584	2064	1282cbd3580662cf9e2b218b132006f6.exe	1282cbd3580662cf9e2b218b132006f6.exe
PID 2064 wrote to memory of 2584	2064	1282cbd3580662cf9e2b218b132006f6.exe	1282cbd3580662cf9e2b218b132006f6.exe
PID 2064 wrote to memory of 2584	2064	1282cbd3580662cf9e2b218b132006f6.exe	1282cbd3580662cf9e2b218b132006f6.exe
PID 2064 wrote to memory of 2584	2064	1282cbd3580662cf9e2b218b132006f6.exe	1282cbd3580662cf9e2b218b132006f6.exe
PID 2064 wrote to memory of 2584	2064	1282cbd3580662cf9e2b218b132006f6.exe	1282cbd3580662cf9e2b218b132006f6.exe
PID 2064 wrote to memory of 2584	2064	1282cbd3580662cf9e2b218b132006f6.exe	1282cbd3580662cf9e2b218b132006f6.exe
PID 2064 wrote to memory of 2584	2064	1282cbd3580662cf9e2b218b132006f6.exe	1282cbd3580662cf9e2b218b132006f6.exe
PID 2328 wrote to memory of 3708	2328	WScript.exe	Limo.exe
PID 2328 wrote to memory of 3708	2328	WScript.exe	Limo.exe
PID 2328 wrote to memory of 3708	2328	WScript.exe	Limo.exe
PID 3708 wrote to memory of 2260	3708	Limo.exe	WScript.exe
PID 3708 wrote to memory of 2260	3708	Limo.exe	WScript.exe
PID 3708 wrote to memory of 2260	3708	Limo.exe	WScript.exe
PID 3708 wrote to memory of 3680	3708	Limo.exe	Limo.exe
PID 3708 wrote to memory of 3680	3708	Limo.exe	Limo.exe
PID 3708 wrote to memory of 3680	3708	Limo.exe	Limo.exe
PID 3708 wrote to memory of 1508	3708	Limo.exe	Limo.exe
PID 3708 wrote to memory of 1508	3708	Limo.exe	Limo.exe
PID 3708 wrote to memory of 1508	3708	Limo.exe	Limo.exe
PID 3708 wrote to memory of 1508	3708	Limo.exe	Limo.exe
PID 3708 wrote to memory of 1508	3708	Limo.exe	Limo.exe
PID 3708 wrote to memory of 1508	3708	Limo.exe	Limo.exe
PID 3708 wrote to memory of 1508	3708	Limo.exe	Limo.exe
PID 3708 wrote to memory of 1508	3708	Limo.exe	Limo.exe
PID 3708 wrote to memory of 1508	3708	Limo.exe	Limo.exe
PID 2260 wrote to memory of 2092	2260	WScript.exe	Lima.exe
PID 2260 wrote to memory of 2092	2260	WScript.exe	Lima.exe
PID 2260 wrote to memory of 2092	2260	WScript.exe	Lima.exe
PID 1508 wrote to memory of 2156	1508	Limo.exe	cmd.exe
PID 1508 wrote to memory of 2156	1508	Limo.exe	cmd.exe
PID 1508 wrote to memory of 2156	1508	Limo.exe	cmd.exe
PID 2156 wrote to memory of 2676	2156	cmd.exe	taskkill.exe
PID 2156 wrote to memory of 2676	2156	cmd.exe	taskkill.exe
PID 2156 wrote to memory of 2676	2156	cmd.exe	taskkill.exe
PID 2092 wrote to memory of 2784	2092	Lima.exe	Lima.exe
PID 2092 wrote to memory of 2784	2092	Lima.exe	Lima.exe
PID 2092 wrote to memory of 2784	2092	Lima.exe	Lima.exe
PID 2092 wrote to memory of 3100	2092	Lima.exe	Lima.exe
PID 2092 wrote to memory of 3100	2092	Lima.exe	Lima.exe
PID 2092 wrote to memory of 3100	2092	Lima.exe	Lima.exe
PID 2092 wrote to memory of 3100	2092	Lima.exe	Lima.exe
PID 2092 wrote to memory of 3100	2092	Lima.exe	Lima.exe
PID 2092 wrote to memory of 3100	2092	Lima.exe	Lima.exe
PID 2092 wrote to memory of 3100	2092	Lima.exe	Lima.exe
PID 2092 wrote to memory of 3100	2092	Lima.exe	Lima.exe
PID 2092 wrote to memory of 3100	2092	Lima.exe	Lima.exe
PID 2584 wrote to memory of 1096	2584	1282cbd3580662cf9e2b218b132006f6.exe	MvtL35uzbB.exe
PID 2584 wrote to memory of 1096	2584	1282cbd3580662cf9e2b218b132006f6.exe	MvtL35uzbB.exe
PID 2584 wrote to memory of 1096	2584	1282cbd3580662cf9e2b218b132006f6.exe	MvtL35uzbB.exe
PID 2584 wrote to memory of 2388	2584	1282cbd3580662cf9e2b218b132006f6.exe	bFIGqqCxXs.exe
PID 2584 wrote to memory of 2388	2584	1282cbd3580662cf9e2b218b132006f6.exe	bFIGqqCxXs.exe
PID 2584 wrote to memory of 2388	2584	1282cbd3580662cf9e2b218b132006f6.exe	bFIGqqCxXs.exe
PID 2584 wrote to memory of 2232	2584	1282cbd3580662cf9e2b218b132006f6.exe	qN88aAgkuv.exe
PID 2584 wrote to memory of 2232	2584	1282cbd3580662cf9e2b218b132006f6.exe	qN88aAgkuv.exe
PID 2584 wrote to memory of 2232	2584	1282cbd3580662cf9e2b218b132006f6.exe	qN88aAgkuv.exe
PID 2584 wrote to memory of 3212	2584	1282cbd3580662cf9e2b218b132006f6.exe	fX2RZ0jnLG.exe
PID 2584 wrote to memory of 3212	2584	1282cbd3580662cf9e2b218b132006f6.exe	fX2RZ0jnLG.exe
PID 2584 wrote to memory of 3212	2584	1282cbd3580662cf9e2b218b132006f6.exe	fX2RZ0jnLG.exe
PID 2584 wrote to memory of 3788	2584	1282cbd3580662cf9e2b218b132006f6.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1282cbd3580662cf9e2b218b132006f6.exe
"C:\Users\Admin\AppData\Local\Temp\1282cbd3580662cf9e2b218b132006f6.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rgtwrmi.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Local\Temp\Limo.exe
"C:\Users\Admin\AppData\Local\Temp\Limo.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ankgce.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Local\Temp\Lima.exe
"C:\Users\Admin\AppData\Local\Temp\Lima.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\Lima.exe
"C:\Users\Admin\AppData\Local\Temp\Lima.exe"
6⤵
- Executes dropped EXE
PID:2784

C:\Users\Admin\AppData\Local\Temp\Lima.exe
"C:\Users\Admin\AppData\Local\Temp\Lima.exe"
6⤵
- Executes dropped EXE
PID:3100

C:\Users\Admin\AppData\Local\Temp\Limo.exe
"C:\Users\Admin\AppData\Local\Temp\Limo.exe"
4⤵
- Executes dropped EXE
PID:3680

C:\Users\Admin\AppData\Local\Temp\Limo.exe
"C:\Users\Admin\AppData\Local\Temp\Limo.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 1508 & erase C:\Users\Admin\AppData\Local\Temp\Limo.exe & RD /S /Q C:\\ProgramData\\915479613221055\\* & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 1508
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Users\Admin\AppData\Local\Temp\1282cbd3580662cf9e2b218b132006f6.exe
"C:\Users\Admin\AppData\Local\Temp\1282cbd3580662cf9e2b218b132006f6.exe"
2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\MvtL35uzbB.exe
"C:\Users\Admin\AppData\Local\Temp\MvtL35uzbB.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\ddcvlc.exe"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Users\Admin\AppData\Local\Temp\MvtL35uzbB.exe
"C:\Users\Admin\AppData\Local\Temp\MvtL35uzbB.exe"
4⤵
- Executes dropped EXE
PID:1592

C:\Users\Admin\AppData\Local\Temp\bFIGqqCxXs.exe
"C:\Users\Admin\AppData\Local\Temp\bFIGqqCxXs.exe"
3⤵
- Executes dropped EXE
PID:2388

C:\Users\Admin\AppData\Local\Temp\qN88aAgkuv.exe
"C:\Users\Admin\AppData\Local\Temp\qN88aAgkuv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Users\Admin\AppData\Local\Temp\qN88aAgkuv.exe
"C:\Users\Admin\AppData\Local\Temp\qN88aAgkuv.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:640

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\2ugt4jie.inf
5⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\fX2RZ0jnLG.exe
"C:\Users\Admin\AppData\Local\Temp\fX2RZ0jnLG.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Users\Admin\AppData\Local\Temp\fX2RZ0jnLG.exe
"C:\Users\Admin\AppData\Local\Temp\fX2RZ0jnLG.exe"
4⤵
- Executes dropped EXE
PID:2688

C:\Users\Admin\AppData\Local\Temp\fX2RZ0jnLG.exe
"C:\Users\Admin\AppData\Local\Temp\fX2RZ0jnLG.exe"
4⤵
- Executes dropped EXE
PID:3916

C:\Users\Admin\AppData\Local\Temp\fX2RZ0jnLG.exe
"C:\Users\Admin\AppData\Local\Temp\fX2RZ0jnLG.exe"
4⤵
- Executes dropped EXE
- Windows security modification
PID:896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1282cbd3580662cf9e2b218b132006f6.exe"
3⤵
PID:3788

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:736

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\whksxpiq.exe
2⤵
PID:3796

C:\Windows\temp\whksxpiq.exe
C:\Windows\temp\whksxpiq.exe
3⤵
- Executes dropped EXE
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MvtL35uzbB.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fX2RZ0jnLG.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qN88aAgkuv.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ankgce.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lima.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lima.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lima.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lima.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Limo.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Limo.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Limo.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Limo.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MvtL35uzbB.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MvtL35uzbB.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MvtL35uzbB.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rgtwrmi.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\bFIGqqCxXs.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bFIGqqCxXs.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\fX2RZ0jnLG.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\fX2RZ0jnLG.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\fX2RZ0jnLG.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\fX2RZ0jnLG.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\fX2RZ0jnLG.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\qN88aAgkuv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\qN88aAgkuv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\qN88aAgkuv.exe

Download Submit
C:\Windows\Temp\whksxpiq.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\2ugt4jie.inf

Download Submit
C:\Windows\temp\whksxpiq.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/640-100-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/640-144-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/640-106-0x0000000071710000-0x0000000071DFE000-memory.dmp

Filesize
6.9MB

Download
memory/640-102-0x000000000040616E-mapping.dmp

Download
memory/640-113-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/640-116-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/736-82-0x0000000000000000-mapping.dmp

Download
memory/896-105-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/896-107-0x0000000000403BEE-mapping.dmp

Download
memory/896-112-0x0000000071710000-0x0000000071DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1092-203-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download
memory/1092-198-0x0000000000000000-mapping.dmp

Download
memory/1096-61-0x0000000071710000-0x0000000071DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1096-62-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1096-58-0x0000000000000000-mapping.dmp

Download
memory/1096-83-0x0000000002D30000-0x0000000002D4A000-memory.dmp

Filesize
104KB

Download
memory/1508-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-24-0x0000000000417A8B-mapping.dmp

Download
memory/1560-118-0x0000000000000000-mapping.dmp

Download
memory/1560-134-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/1592-87-0x000000000040C75E-mapping.dmp

Download
memory/1592-91-0x0000000071710000-0x0000000071DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1592-86-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1836-159-0x0000000000000000-mapping.dmp

Download
memory/1976-155-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download
memory/1976-151-0x0000000000000000-mapping.dmp

Download
memory/1976-152-0x0000000000000000-mapping.dmp

Download
memory/1976-156-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2064-0-0x0000000073330000-0x0000000073A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-4-0x000000000A6E0000-0x000000000A7C5000-memory.dmp

Filesize
916KB

Download
memory/2064-6-0x0000000004AE0000-0x0000000004AED000-memory.dmp

Filesize
52KB

Download
memory/2064-1-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2064-3-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/2092-28-0x0000000000000000-mapping.dmp

Download
memory/2092-33-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/2092-31-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2092-30-0x0000000071DC0000-0x00000000724AE000-memory.dmp

Filesize
6.9MB

Download
memory/2092-45-0x000000000A8B0000-0x000000000A8D2000-memory.dmp

Filesize
136KB

Download
memory/2156-42-0x0000000000000000-mapping.dmp

Download
memory/2232-80-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/2232-97-0x0000000004B00000-0x0000000004B16000-memory.dmp

Filesize
88KB

Download
memory/2232-76-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2232-67-0x0000000000000000-mapping.dmp

Download
memory/2232-71-0x0000000071710000-0x0000000071DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2260-19-0x0000000000000000-mapping.dmp

Download
memory/2328-5-0x0000000000000000-mapping.dmp

Download
memory/2388-224-0x0000000002A60000-0x0000000002A9A000-memory.dmp

Filesize
232KB

Download
memory/2388-64-0x0000000000000000-mapping.dmp

Download
memory/2584-10-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2584-9-0x0000000000440102-mapping.dmp

Download
memory/2584-8-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2676-44-0x0000000000000000-mapping.dmp

Download
memory/2960-180-0x00000291A9BC0000-0x00000291A9BC1000-memory.dmp

Filesize
4KB

Download
memory/2960-182-0x00000291C4BD0000-0x00000291C4BD1000-memory.dmp

Filesize
4KB

Download
memory/2960-158-0x0000000000000000-mapping.dmp

Download
memory/2960-160-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download
memory/3100-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3100-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3100-49-0x000000000041A684-mapping.dmp

Download
memory/3120-201-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download
memory/3120-191-0x0000000000000000-mapping.dmp

Download
memory/3212-81-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3212-70-0x0000000000000000-mapping.dmp

Download
memory/3212-75-0x0000000071710000-0x0000000071DFE000-memory.dmp

Filesize
6.9MB

Download
memory/3212-96-0x0000000000F20000-0x0000000000F34000-memory.dmp

Filesize
80KB

Download
memory/3212-78-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/3392-200-0x0000000000000000-mapping.dmp

Download
memory/3392-205-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download
memory/3448-208-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download
memory/3448-202-0x0000000000000000-mapping.dmp

Download
memory/3640-189-0x0000000000000000-mapping.dmp

Download
memory/3640-199-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download
memory/3708-18-0x0000000002CB0000-0x0000000002D19000-memory.dmp

Filesize
420KB

Download
memory/3708-15-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3708-14-0x0000000072620000-0x0000000072D0E000-memory.dmp

Filesize
6.9MB

Download
memory/3708-17-0x00000000014D0000-0x00000000014D1000-memory.dmp

Filesize
4KB

Download
memory/3708-12-0x0000000000000000-mapping.dmp

Download
memory/3788-72-0x0000000000000000-mapping.dmp

Download
memory/3796-150-0x0000000000000000-mapping.dmp

Download
memory/3968-185-0x0000000000000000-mapping.dmp

Download
memory/3968-194-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download
memory/4048-143-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/4048-124-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/4048-119-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/4048-176-0x0000000008F20000-0x0000000008F21000-memory.dmp

Filesize
4KB

Download
memory/4048-162-0x0000000008F60000-0x0000000008F93000-memory.dmp

Filesize
204KB

Download
memory/4048-84-0x0000000000000000-mapping.dmp

Download
memory/4048-126-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/4048-183-0x0000000009250000-0x0000000009251000-memory.dmp

Filesize
4KB

Download
memory/4048-89-0x0000000071710000-0x0000000071DFE000-memory.dmp

Filesize
6.9MB

Download
memory/4048-94-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/4048-95-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/4048-148-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

Filesize
4KB

Download
memory/4048-123-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/4048-141-0x0000000007CA0000-0x0000000007CA1000-memory.dmp

Filesize
4KB

Download
memory/4048-178-0x0000000009090000-0x0000000009091000-memory.dmp

Filesize
4KB

Download
memory/4052-186-0x0000000008F20000-0x0000000008F21000-memory.dmp

Filesize
4KB

Download
memory/4052-125-0x0000000071710000-0x0000000071DFE000-memory.dmp

Filesize
6.9MB

Download
memory/4052-117-0x0000000000000000-mapping.dmp

Download
memory/4052-192-0x0000000008F10000-0x0000000008F11000-memory.dmp

Filesize
4KB

Download
memory/4180-212-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download
memory/4180-204-0x0000000000000000-mapping.dmp

Download
memory/4288-214-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download
memory/4288-207-0x0000000000000000-mapping.dmp

Download
memory/4380-217-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download
memory/4380-209-0x0000000000000000-mapping.dmp

Download
memory/4488-213-0x0000000000000000-mapping.dmp

Download
memory/4488-223-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download
memory/4588-216-0x0000000000000000-mapping.dmp

Download
memory/4588-226-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download
memory/4752-221-0x0000000000000000-mapping.dmp

Download
memory/4752-229-0x00007FF95D1C0000-0x00007FF95DBAC000-memory.dmp

Filesize
9.9MB

Download