asyncrat | b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261

Analysis

max time kernel
74s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
11-11-2020 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d01213c51ed2570b263b28fa4b9f320.exe
Size

1.1MB
MD5

6d01213c51ed2570b263b28fa4b9f320
SHA1

aa5aa4142ff6de7e5560424d252c2bf234f14651
SHA256

b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261
SHA512

0ca8354473740c4f6212159f98571eaf3041ea895a3e067b52c9b5e380c948cc5df0fa18171674c35afd5f0bdeb75e676b41a548be1a3e05ed5f7906a8365766

Score

10^/10

asyncrat azorult modiloader discovery evasion infostealer rat spyware trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/3128-80-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral2/memory/3128-81-0x000000000040616E-mapping.dmp	disable_win_def
behavioral2/memory/3924-102-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral2/memory/3924-103-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral2/files/0x000200000001ab5d-113.dat	disable_win_def
behavioral2/files/0x000200000001ab5d-112.dat	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3156-71-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/3156-72-0x000000000040C76E-mapping.dmp	asyncrat

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral2/memory/4032-153-0x0000000004AA0000-0x0000000004AFC000-memory.dmp	modiloader_stage1

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/4032-212-0x0000000005500000-0x000000000554D000-memory.dmp	modiloader_stage2

ServiceHost packer 45 IoCs

Detects ServiceHost packer used for .NET malware

resource	yara_rule
behavioral2/memory/2512-235-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-237-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-239-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-241-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-243-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-245-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-247-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-249-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-251-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-253-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-255-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-257-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-259-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-261-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-263-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-265-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-267-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-269-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-271-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-273-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-275-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-277-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-279-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-281-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-283-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-287-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-285-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-293-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-291-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-289-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-295-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-297-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-303-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-301-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-299-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-305-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-307-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-309-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-317-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-315-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-319-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-321-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-323-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-325-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2512-327-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 9 IoCs

pid	Process
3372	axcjgfhwvvas.exe
3116	1RdiI043Xv.exe
4032	hgN08oxHXW.exe
3520	8k4ZdjKXIU.exe
2468	o4I9l466WN.exe
3156	1RdiI043Xv.exe
3128	8k4ZdjKXIU.exe
3924	o4I9l466WN.exe
3104	vbca4x3e.exe

Loads dropped DLL 6 IoCs

pid	Process
3352	6d01213c51ed2570b263b28fa4b9f320.exe
3352	6d01213c51ed2570b263b28fa4b9f320.exe
3352	6d01213c51ed2570b263b28fa4b9f320.exe
3352	6d01213c51ed2570b263b28fa4b9f320.exe
3352	6d01213c51ed2570b263b28fa4b9f320.exe
3352	6d01213c51ed2570b263b28fa4b9f320.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o4I9l466WN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o4I9l466WN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	6d01213c51ed2570b263b28fa4b9f320.exe

JavaScript code in executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab72-30.dat	js
behavioral2/files/0x000200000001ab77-433.dat	js

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3980 set thread context of 3352	3980	6d01213c51ed2570b263b28fa4b9f320.exe	81
PID 3116 set thread context of 3156	3116	1RdiI043Xv.exe	89
PID 3520 set thread context of 3128	3520	8k4ZdjKXIU.exe	90
PID 2468 set thread context of 3924	2468	o4I9l466WN.exe	93

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3012	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
856	taskkill.exe

Suspicious behavior: EnumeratesProcesses 373 IoCs

pid	Process
3980	6d01213c51ed2570b263b28fa4b9f320.exe
3980	6d01213c51ed2570b263b28fa4b9f320.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe
1160	powershell.exe
512	powershell.exe
512	powershell.exe
1160	powershell.exe
512	powershell.exe
1160	powershell.exe
3920	powershell.exe
1908	powershell.exe
2840	powershell.exe
2964	powershell.exe
2964	powershell.exe
504	powershell.exe
504	powershell.exe
1120	powershell.exe
1120	powershell.exe
4112	powershell.exe
4112	powershell.exe
4212	powershell.exe
4212	powershell.exe
4320	powershell.exe
4320	powershell.exe
3920	powershell.exe
3920	powershell.exe
1908	powershell.exe
1908	powershell.exe
4456	powershell.exe
4456	powershell.exe
2840	powershell.exe
2840	powershell.exe
4580	powershell.exe
4580	powershell.exe
1120	powershell.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	6d01213c51ed2570b263b28fa4b9f320.exe
Token: SeDebugPrivilege	3116	1RdiI043Xv.exe
Token: SeDebugPrivilege	3520	8k4ZdjKXIU.exe
Token: SeDebugPrivilege	3128	8k4ZdjKXIU.exe
Token: SeDebugPrivilege	2468	o4I9l466WN.exe
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeIncreaseQuotaPrivilege	512	powershell.exe
Token: SeSecurityPrivilege	512	powershell.exe
Token: SeTakeOwnershipPrivilege	512	powershell.exe
Token: SeLoadDriverPrivilege	512	powershell.exe
Token: SeSystemProfilePrivilege	512	powershell.exe
Token: SeSystemtimePrivilege	512	powershell.exe
Token: SeProfSingleProcessPrivilege	512	powershell.exe
Token: SeIncBasePriorityPrivilege	512	powershell.exe
Token: SeCreatePagefilePrivilege	512	powershell.exe
Token: SeBackupPrivilege	512	powershell.exe
Token: SeRestorePrivilege	512	powershell.exe
Token: SeShutdownPrivilege	512	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeSystemEnvironmentPrivilege	512	powershell.exe
Token: SeRemoteShutdownPrivilege	512	powershell.exe
Token: SeUndockPrivilege	512	powershell.exe
Token: SeManageVolumePrivilege	512	powershell.exe
Token: 33	512	powershell.exe
Token: 34	512	powershell.exe
Token: 35	512	powershell.exe
Token: 36	512	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	504	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3128	8k4ZdjKXIU.exe
3128	8k4ZdjKXIU.exe

Suspicious use of WriteProcessMemory 97 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 3372	3980	6d01213c51ed2570b263b28fa4b9f320.exe	79
PID 3980 wrote to memory of 3372	3980	6d01213c51ed2570b263b28fa4b9f320.exe	79
PID 3980 wrote to memory of 3372	3980	6d01213c51ed2570b263b28fa4b9f320.exe	79
PID 3980 wrote to memory of 3100	3980	6d01213c51ed2570b263b28fa4b9f320.exe	80
PID 3980 wrote to memory of 3100	3980	6d01213c51ed2570b263b28fa4b9f320.exe	80
PID 3980 wrote to memory of 3100	3980	6d01213c51ed2570b263b28fa4b9f320.exe	80
PID 3980 wrote to memory of 3352	3980	6d01213c51ed2570b263b28fa4b9f320.exe	81
PID 3980 wrote to memory of 3352	3980	6d01213c51ed2570b263b28fa4b9f320.exe	81
PID 3980 wrote to memory of 3352	3980	6d01213c51ed2570b263b28fa4b9f320.exe	81
PID 3980 wrote to memory of 3352	3980	6d01213c51ed2570b263b28fa4b9f320.exe	81
PID 3980 wrote to memory of 3352	3980	6d01213c51ed2570b263b28fa4b9f320.exe	81
PID 3980 wrote to memory of 3352	3980	6d01213c51ed2570b263b28fa4b9f320.exe	81
PID 3980 wrote to memory of 3352	3980	6d01213c51ed2570b263b28fa4b9f320.exe	81
PID 3980 wrote to memory of 3352	3980	6d01213c51ed2570b263b28fa4b9f320.exe	81
PID 3980 wrote to memory of 3352	3980	6d01213c51ed2570b263b28fa4b9f320.exe	81
PID 3352 wrote to memory of 3116	3352	6d01213c51ed2570b263b28fa4b9f320.exe	82
PID 3352 wrote to memory of 3116	3352	6d01213c51ed2570b263b28fa4b9f320.exe	82
PID 3352 wrote to memory of 3116	3352	6d01213c51ed2570b263b28fa4b9f320.exe	82
PID 3352 wrote to memory of 4032	3352	6d01213c51ed2570b263b28fa4b9f320.exe	83
PID 3352 wrote to memory of 4032	3352	6d01213c51ed2570b263b28fa4b9f320.exe	83
PID 3352 wrote to memory of 4032	3352	6d01213c51ed2570b263b28fa4b9f320.exe	83
PID 3352 wrote to memory of 3520	3352	6d01213c51ed2570b263b28fa4b9f320.exe	84
PID 3352 wrote to memory of 3520	3352	6d01213c51ed2570b263b28fa4b9f320.exe	84
PID 3352 wrote to memory of 3520	3352	6d01213c51ed2570b263b28fa4b9f320.exe	84
PID 3352 wrote to memory of 2468	3352	6d01213c51ed2570b263b28fa4b9f320.exe	85
PID 3352 wrote to memory of 2468	3352	6d01213c51ed2570b263b28fa4b9f320.exe	85
PID 3352 wrote to memory of 2468	3352	6d01213c51ed2570b263b28fa4b9f320.exe	85
PID 3352 wrote to memory of 2492	3352	6d01213c51ed2570b263b28fa4b9f320.exe	86
PID 3352 wrote to memory of 2492	3352	6d01213c51ed2570b263b28fa4b9f320.exe	86
PID 3352 wrote to memory of 2492	3352	6d01213c51ed2570b263b28fa4b9f320.exe	86
PID 2492 wrote to memory of 3012	2492	cmd.exe	88
PID 2492 wrote to memory of 3012	2492	cmd.exe	88
PID 2492 wrote to memory of 3012	2492	cmd.exe	88
PID 3116 wrote to memory of 3156	3116	1RdiI043Xv.exe	89
PID 3116 wrote to memory of 3156	3116	1RdiI043Xv.exe	89
PID 3116 wrote to memory of 3156	3116	1RdiI043Xv.exe	89
PID 3116 wrote to memory of 3156	3116	1RdiI043Xv.exe	89
PID 3116 wrote to memory of 3156	3116	1RdiI043Xv.exe	89
PID 3116 wrote to memory of 3156	3116	1RdiI043Xv.exe	89
PID 3116 wrote to memory of 3156	3116	1RdiI043Xv.exe	89
PID 3116 wrote to memory of 3156	3116	1RdiI043Xv.exe	89
PID 3520 wrote to memory of 3128	3520	8k4ZdjKXIU.exe	90
PID 3520 wrote to memory of 3128	3520	8k4ZdjKXIU.exe	90
PID 3520 wrote to memory of 3128	3520	8k4ZdjKXIU.exe	90
PID 3520 wrote to memory of 3128	3520	8k4ZdjKXIU.exe	90
PID 3520 wrote to memory of 3128	3520	8k4ZdjKXIU.exe	90
PID 3520 wrote to memory of 3128	3520	8k4ZdjKXIU.exe	90
PID 3520 wrote to memory of 3128	3520	8k4ZdjKXIU.exe	90
PID 3520 wrote to memory of 3128	3520	8k4ZdjKXIU.exe	90
PID 3128 wrote to memory of 3252	3128	8k4ZdjKXIU.exe	91
PID 3128 wrote to memory of 3252	3128	8k4ZdjKXIU.exe	91
PID 3128 wrote to memory of 3252	3128	8k4ZdjKXIU.exe	91
PID 2468 wrote to memory of 3924	2468	o4I9l466WN.exe	93
PID 2468 wrote to memory of 3924	2468	o4I9l466WN.exe	93
PID 2468 wrote to memory of 3924	2468	o4I9l466WN.exe	93
PID 3492 wrote to memory of 1540	3492	DllHost.exe	94
PID 3492 wrote to memory of 1540	3492	DllHost.exe	94
PID 3492 wrote to memory of 1540	3492	DllHost.exe	94
PID 2468 wrote to memory of 3924	2468	o4I9l466WN.exe	93
PID 2468 wrote to memory of 3924	2468	o4I9l466WN.exe	93
PID 2468 wrote to memory of 3924	2468	o4I9l466WN.exe	93
PID 2468 wrote to memory of 3924	2468	o4I9l466WN.exe	93
PID 2468 wrote to memory of 3924	2468	o4I9l466WN.exe	93
PID 3924 wrote to memory of 1160	3924	o4I9l466WN.exe	96
PID 3924 wrote to memory of 1160	3924	o4I9l466WN.exe	96
PID 3924 wrote to memory of 1160	3924	o4I9l466WN.exe	96
PID 1540 wrote to memory of 3104	1540	cmd.exe	98
PID 1540 wrote to memory of 3104	1540	cmd.exe	98
PID 3492 wrote to memory of 856	3492	DllHost.exe	99
PID 3492 wrote to memory of 856	3492	DllHost.exe	99
PID 3492 wrote to memory of 856	3492	DllHost.exe	99
PID 3104 wrote to memory of 512	3104	vbca4x3e.exe	100
PID 3104 wrote to memory of 512	3104	vbca4x3e.exe	100
PID 3104 wrote to memory of 3920	3104	vbca4x3e.exe	105
PID 3104 wrote to memory of 3920	3104	vbca4x3e.exe	105
PID 3104 wrote to memory of 1908	3104	vbca4x3e.exe	107
PID 3104 wrote to memory of 1908	3104	vbca4x3e.exe	107
PID 3104 wrote to memory of 2840	3104	vbca4x3e.exe	109
PID 3104 wrote to memory of 2840	3104	vbca4x3e.exe	109
PID 3104 wrote to memory of 1120	3104	vbca4x3e.exe	111
PID 3104 wrote to memory of 1120	3104	vbca4x3e.exe	111
PID 3104 wrote to memory of 2964	3104	vbca4x3e.exe	113
PID 3104 wrote to memory of 2964	3104	vbca4x3e.exe	113
PID 3104 wrote to memory of 504	3104	vbca4x3e.exe	115
PID 3104 wrote to memory of 504	3104	vbca4x3e.exe	115
PID 3104 wrote to memory of 4112	3104	vbca4x3e.exe	117
PID 3104 wrote to memory of 4112	3104	vbca4x3e.exe	117
PID 3104 wrote to memory of 4212	3104	vbca4x3e.exe	119
PID 3104 wrote to memory of 4212	3104	vbca4x3e.exe	119
PID 3104 wrote to memory of 4320	3104	vbca4x3e.exe	121
PID 3104 wrote to memory of 4320	3104	vbca4x3e.exe	121
PID 3104 wrote to memory of 4456	3104	vbca4x3e.exe	123
PID 3104 wrote to memory of 4456	3104	vbca4x3e.exe	123
PID 3104 wrote to memory of 4580	3104	vbca4x3e.exe	125
PID 3104 wrote to memory of 4580	3104	vbca4x3e.exe	125
PID 3104 wrote to memory of 4680	3104	vbca4x3e.exe	127
PID 3104 wrote to memory of 4680	3104	vbca4x3e.exe	127

C:\Users\Admin\AppData\Local\Temp\6d01213c51ed2570b263b28fa4b9f320.exe
"C:\Users\Admin\AppData\Local\Temp\6d01213c51ed2570b263b28fa4b9f320.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe
  "C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Users\Admin\AppData\Local\Temp\6d01213c51ed2570b263b28fa4b9f320.exe
  "{path}"
  2⤵
  PID:3100
- C:\Users\Admin\AppData\Local\Temp\6d01213c51ed2570b263b28fa4b9f320.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Users\Admin\AppData\Local\Temp\1RdiI043Xv.exe
    "C:\Users\Admin\AppData\Local\Temp\1RdiI043Xv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Users\Admin\AppData\Local\Temp\1RdiI043Xv.exe
      "C:\Users\Admin\AppData\Local\Temp\1RdiI043Xv.exe"
      4⤵
      Executes dropped EXE
      PID:3156
- - C:\Users\Admin\AppData\Local\Temp\hgN08oxHXW.exe
    "C:\Users\Admin\AppData\Local\Temp\hgN08oxHXW.exe"
    3⤵
    - Executes dropped EXE
    PID:4032
- - C:\Users\Admin\AppData\Local\Temp\8k4ZdjKXIU.exe
    "C:\Users\Admin\AppData\Local\Temp\8k4ZdjKXIU.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\8k4ZdjKXIU.exe
      "C:\Users\Admin\AppData\Local\Temp\8k4ZdjKXIU.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3128
    - - \??\c:\windows\SysWOW64\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\gap112qz.inf
        5⤵
        
        PID:3252
- - C:\Users\Admin\AppData\Local\Temp\o4I9l466WN.exe
    "C:\Users\Admin\AppData\Local\Temp\o4I9l466WN.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\o4I9l466WN.exe
      "C:\Users\Admin\AppData\Local\Temp\o4I9l466WN.exe"
      4⤵
      Executes dropped EXE
      Windows security modification
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\6d01213c51ed2570b263b28fa4b9f320.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:3012

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\temp\vbca4x3e.exe
  2⤵
  PID:1540
- - C:\Windows\temp\vbca4x3e.exe
    C:\Windows\temp\vbca4x3e.exe
    3⤵
    - Executes dropped EXE
    PID:3104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      PID:4680
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/504-150-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/512-122-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/512-128-0x000001EBF1370000-0x000001EBF1371000-memory.dmp

Filesize
4KB

Download
memory/512-126-0x000001EBD6F80000-0x000001EBD6F81000-memory.dmp

Filesize
4KB

Download
memory/1120-142-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/1160-130-0x0000000008B50000-0x0000000008B51000-memory.dmp

Filesize
4KB

Download
memory/1160-193-0x0000000009BD0000-0x0000000009BD1000-memory.dmp

Filesize
4KB

Download
memory/1160-114-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/1160-131-0x0000000008A20000-0x0000000008A21000-memory.dmp

Filesize
4KB

Download
memory/1160-147-0x00000000099C0000-0x00000000099F3000-memory.dmp

Filesize
204KB

Download
memory/1160-162-0x00000000099A0000-0x00000000099A1000-memory.dmp

Filesize
4KB

Download
memory/1160-129-0x00000000081A0000-0x00000000081A1000-memory.dmp

Filesize
4KB

Download
memory/1160-124-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/1160-164-0x0000000009AF0000-0x0000000009AF1000-memory.dmp

Filesize
4KB

Download
memory/1160-125-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

Filesize
4KB

Download
memory/1160-127-0x0000000008390000-0x0000000008391000-memory.dmp

Filesize
4KB

Download
memory/1160-196-0x0000000009BC0000-0x0000000009BC1000-memory.dmp

Filesize
4KB

Download
memory/1160-118-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/1160-123-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/1160-116-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/1160-174-0x0000000009CD0000-0x0000000009CD1000-memory.dmp

Filesize
4KB

Download
memory/1908-138-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/2468-99-0x0000000005A20000-0x0000000005A58000-memory.dmp

Filesize
224KB

Download
memory/2468-61-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-63-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2512-228-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/2512-231-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2840-140-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-144-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/3104-117-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3104-115-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/3116-40-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/3116-41-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3116-70-0x0000000005850000-0x0000000005866000-memory.dmp

Filesize
88KB

Download
memory/3116-69-0x00000000057E0000-0x0000000005820000-memory.dmp

Filesize
256KB

Download
memory/3128-84-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/3128-80-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3156-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3156-75-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/3252-93-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3252-95-0x0000000005120000-0x0000000005221000-memory.dmp

Filesize
1.0MB

Download
memory/3352-16-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3352-19-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3372-17-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/3372-20-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3372-210-0x00000000059F0000-0x0000000005A37000-memory.dmp

Filesize
284KB

Download
memory/3372-22-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3520-78-0x00000000065E0000-0x0000000006611000-memory.dmp

Filesize
196KB

Download
memory/3520-53-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/3520-52-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/3760-221-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3760-217-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3916-401-0x0000000004EB0000-0x0000000004F09000-memory.dmp

Filesize
356KB

Download
memory/3916-223-0x00000000073C0000-0x000000000741B000-memory.dmp

Filesize
364KB

Download
memory/3916-220-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/3916-216-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/3920-137-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/3924-106-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/3924-102-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3980-10-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3980-0-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/3980-5-0x000000000A090000-0x000000000A091000-memory.dmp

Filesize
4KB

Download
memory/3980-8-0x000000000C5E0000-0x000000000C5F4000-memory.dmp

Filesize
80KB

Download
memory/3980-6-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/3980-7-0x000000000C910000-0x000000000C911000-memory.dmp

Filesize
4KB

Download
memory/3980-4-0x000000000A590000-0x000000000A591000-memory.dmp

Filesize
4KB

Download
memory/3980-9-0x0000000004C40000-0x0000000004CFA000-memory.dmp

Filesize
744KB

Download
memory/3980-3-0x0000000006FC0000-0x0000000007088000-memory.dmp

Filesize
800KB

Download
memory/3980-1-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4032-153-0x0000000004AA0000-0x0000000004AFC000-memory.dmp

Filesize
368KB

Download
memory/4032-212-0x0000000005500000-0x000000000554D000-memory.dmp

Filesize
308KB

Download
memory/4112-158-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/4212-165-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/4320-167-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/4456-170-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/4580-173-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/4680-176-0x00007FFCA08C0000-0x00007FFCA12AC000-memory.dmp

Filesize
9.9MB

Download
memory/5072-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download