asyncrat | c5d1c57f289c7f9f692ad7971b08ec1392082eda028916ff33c27da1c8c3326b

Analysis

max time kernel
61s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
05-01-2021 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NON_DISC.EXE
Size

948KB
MD5

5a26073186d5cd797817ab71676082c1
SHA1

eba609ba96514ea94b9bf91f24ecf4b450c3faaf
SHA256

52bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396
SHA512

79c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1

Score

10^/10

asyncrat azorult discovery evasion infostealer persistence rat spyware trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

hpdndbnb.duckdns.org:3040

hpdndbnb.duckdns.org:2020

hpdndbnb.duckdns.org:4040

gpmaw.duckdns.org:3040

gpmaw.duckdns.org:2020

gpmaw.duckdns.org:4040

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
8pSblfEIKGwvU0W68bmEKGa3zB2hqd4t
anti_detection
false
autorun
true
bdos
false
delay
Default
host
hpdndbnb.duckdns.org,gpmaw.duckdns.org
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
3040,2020,4040
version
0.5.7B

aes.plain

Extracted

Family

azorult

http://eurodata1988.it/asy/PL341/index.php

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

NON_DISC.EXEDfnder windows.exepxjvhi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NON_DISC.EXE\""	NON_DISC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Dfnder windows.exe\""	Dfnder windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\pxjvhi.exe\""	pxjvhi.exe

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral4/memory/1336-49-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral4/memory/1336-50-0x000000000040C79E-mapping.dmp	asyncrat
behavioral4/memory/4292-179-0x000000000040C79E-mapping.dmp	asyncrat
behavioral4/memory/4292-268-0x0000000006BC0000-0x0000000006BDB000-memory.dmp	asyncrat

Executes dropped EXE 4 IoCs

Processes:

Dfnder windows.exeDfnder windows.exepxjvhi.exepxjvhi.exe

pid process

4712 Dfnder windows.exe
4292 Dfnder windows.exe
4972 pxjvhi.exe
4660 pxjvhi.exe

pid	process
4712	Dfnder windows.exe
4292	Dfnder windows.exe
4972	pxjvhi.exe
4660	pxjvhi.exe

Drops startup file 6 IoCs

Processes:

NON_DISC.EXEDfnder windows.exepxjvhi.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE	NON_DISC.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe	Dfnder windows.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe	Dfnder windows.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pxjvhi.exe	pxjvhi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pxjvhi.exe	pxjvhi.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE	NON_DISC.EXE

Loads dropped DLL 4 IoCs

Processes:

pxjvhi.exe

pid process

4660 pxjvhi.exe
4660 pxjvhi.exe
4660 pxjvhi.exe
4660 pxjvhi.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4660	pxjvhi.exe
4660	pxjvhi.exe
4660	pxjvhi.exe
4660	pxjvhi.exe

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Dfnder windows.exeNON_DISC.EXEpxjvhi.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe = "0"	Dfnder windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE = "0"	NON_DISC.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	NON_DISC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	NON_DISC.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	NON_DISC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Dfnder windows.exe = "0"	Dfnder windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pxjvhi.exe = "0"	pxjvhi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE = "0"	NON_DISC.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	NON_DISC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	NON_DISC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	NON_DISC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	NON_DISC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe = "0"	pxjvhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	NON_DISC.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	NON_DISC.EXE

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Dfnder windows.exepxjvhi.exeNON_DISC.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Roaming\\Dfnder windows.exe"	Dfnder windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dfnder windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Dfnder windows.exe"	Dfnder windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pxjvhi.exe"	pxjvhi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\pxjvhi.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pxjvhi.exe"	pxjvhi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NON_DISC.EXE"	NON_DISC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\NON_DISC.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NON_DISC.EXE"	NON_DISC.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dll	js

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 3 IoCs

Processes:

NON_DISC.EXEDfnder windows.exepxjvhi.exe

description	pid	process	target process
PID 756 set thread context of 1336	756	NON_DISC.EXE	NON_DISC.EXE
PID 4712 set thread context of 4292	4712	Dfnder windows.exe	Dfnder windows.exe
PID 4972 set thread context of 4660	4972	pxjvhi.exe	pxjvhi.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pxjvhi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	pxjvhi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	pxjvhi.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4556 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4588 timeout.exe

pid	process
4556	schtasks.exe

pid	process
4588	timeout.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeNON_DISC.EXEpowershell.exepowershell.exepowershell.exepowershell.exeDfnder windows.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepxjvhi.exe

pid	process
216	powershell.exe
2348	powershell.exe
1020	powershell.exe
556	powershell.exe
216	powershell.exe
2348	powershell.exe
1020	powershell.exe
556	powershell.exe
216	powershell.exe
2348	powershell.exe
1020	powershell.exe
556	powershell.exe
1336	NON_DISC.EXE
1336	NON_DISC.EXE
1336	NON_DISC.EXE
1336	NON_DISC.EXE
1336	NON_DISC.EXE
1336	NON_DISC.EXE
1336	NON_DISC.EXE
1336	NON_DISC.EXE
1336	NON_DISC.EXE
1336	NON_DISC.EXE
1336	NON_DISC.EXE
1336	NON_DISC.EXE
1336	NON_DISC.EXE
1336	NON_DISC.EXE
1336	NON_DISC.EXE
4820	powershell.exe
4840	powershell.exe
4960	powershell.exe
4900	powershell.exe
4820	powershell.exe
4840	powershell.exe
4900	powershell.exe
4960	powershell.exe
4820	powershell.exe
4840	powershell.exe
4900	powershell.exe
4960	powershell.exe
4292	Dfnder windows.exe
508	powershell.exe
508	powershell.exe
508	powershell.exe
4316	powershell.exe
4280	powershell.exe
4140	powershell.exe
4044	powershell.exe
4316	powershell.exe
4280	powershell.exe
4044	powershell.exe
4140	powershell.exe
4316	powershell.exe
4280	powershell.exe
4044	powershell.exe
4140	powershell.exe
4660	pxjvhi.exe
4660	pxjvhi.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

NON_DISC.EXEpowershell.exepowershell.exepowershell.exepowershell.exeNON_DISC.EXEDfnder windows.exepowershell.exepowershell.exepowershell.exepowershell.exeDfnder windows.exepowershell.exepxjvhi.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	756	NON_DISC.EXE
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	1336	NON_DISC.EXE
Token: SeDebugPrivilege	4712	Dfnder windows.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4292	Dfnder windows.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeDebugPrivilege	4972	pxjvhi.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4044	powershell.exe

Suspicious use of WriteProcessMemory 87 IoCs

Processes:

NON_DISC.EXENON_DISC.EXEcmd.execmd.exeDfnder windows.exeDfnder windows.execmd.exepowershell.exe

description	pid	process	target process
PID 756 wrote to memory of 216	756	NON_DISC.EXE	powershell.exe
PID 756 wrote to memory of 216	756	NON_DISC.EXE	powershell.exe
PID 756 wrote to memory of 216	756	NON_DISC.EXE	powershell.exe
PID 756 wrote to memory of 1020	756	NON_DISC.EXE	powershell.exe
PID 756 wrote to memory of 1020	756	NON_DISC.EXE	powershell.exe
PID 756 wrote to memory of 1020	756	NON_DISC.EXE	powershell.exe
PID 756 wrote to memory of 2348	756	NON_DISC.EXE	powershell.exe
PID 756 wrote to memory of 2348	756	NON_DISC.EXE	powershell.exe
PID 756 wrote to memory of 2348	756	NON_DISC.EXE	powershell.exe
PID 756 wrote to memory of 556	756	NON_DISC.EXE	powershell.exe
PID 756 wrote to memory of 556	756	NON_DISC.EXE	powershell.exe
PID 756 wrote to memory of 556	756	NON_DISC.EXE	powershell.exe
PID 756 wrote to memory of 1336	756	NON_DISC.EXE	NON_DISC.EXE
PID 756 wrote to memory of 1336	756	NON_DISC.EXE	NON_DISC.EXE
PID 756 wrote to memory of 1336	756	NON_DISC.EXE	NON_DISC.EXE
PID 756 wrote to memory of 1336	756	NON_DISC.EXE	NON_DISC.EXE
PID 756 wrote to memory of 1336	756	NON_DISC.EXE	NON_DISC.EXE
PID 756 wrote to memory of 1336	756	NON_DISC.EXE	NON_DISC.EXE
PID 756 wrote to memory of 1336	756	NON_DISC.EXE	NON_DISC.EXE
PID 756 wrote to memory of 1336	756	NON_DISC.EXE	NON_DISC.EXE
PID 1336 wrote to memory of 4472	1336	NON_DISC.EXE	cmd.exe
PID 1336 wrote to memory of 4472	1336	NON_DISC.EXE	cmd.exe
PID 1336 wrote to memory of 4472	1336	NON_DISC.EXE	cmd.exe
PID 1336 wrote to memory of 4484	1336	NON_DISC.EXE	cmd.exe
PID 1336 wrote to memory of 4484	1336	NON_DISC.EXE	cmd.exe
PID 1336 wrote to memory of 4484	1336	NON_DISC.EXE	cmd.exe
PID 4472 wrote to memory of 4556	4472	cmd.exe	schtasks.exe
PID 4472 wrote to memory of 4556	4472	cmd.exe	schtasks.exe
PID 4472 wrote to memory of 4556	4472	cmd.exe	schtasks.exe
PID 4484 wrote to memory of 4588	4484	cmd.exe	timeout.exe
PID 4484 wrote to memory of 4588	4484	cmd.exe	timeout.exe
PID 4484 wrote to memory of 4588	4484	cmd.exe	timeout.exe
PID 4484 wrote to memory of 4712	4484	cmd.exe	Dfnder windows.exe
PID 4484 wrote to memory of 4712	4484	cmd.exe	Dfnder windows.exe
PID 4484 wrote to memory of 4712	4484	cmd.exe	Dfnder windows.exe
PID 4712 wrote to memory of 4820	4712	Dfnder windows.exe	powershell.exe
PID 4712 wrote to memory of 4820	4712	Dfnder windows.exe	powershell.exe
PID 4712 wrote to memory of 4820	4712	Dfnder windows.exe	powershell.exe
PID 4712 wrote to memory of 4840	4712	Dfnder windows.exe	powershell.exe
PID 4712 wrote to memory of 4840	4712	Dfnder windows.exe	powershell.exe
PID 4712 wrote to memory of 4840	4712	Dfnder windows.exe	powershell.exe
PID 4712 wrote to memory of 4900	4712	Dfnder windows.exe	powershell.exe
PID 4712 wrote to memory of 4900	4712	Dfnder windows.exe	powershell.exe
PID 4712 wrote to memory of 4900	4712	Dfnder windows.exe	powershell.exe
PID 4712 wrote to memory of 4960	4712	Dfnder windows.exe	powershell.exe
PID 4712 wrote to memory of 4960	4712	Dfnder windows.exe	powershell.exe
PID 4712 wrote to memory of 4960	4712	Dfnder windows.exe	powershell.exe
PID 4712 wrote to memory of 4292	4712	Dfnder windows.exe	Dfnder windows.exe
PID 4712 wrote to memory of 4292	4712	Dfnder windows.exe	Dfnder windows.exe
PID 4712 wrote to memory of 4292	4712	Dfnder windows.exe	Dfnder windows.exe
PID 4712 wrote to memory of 4292	4712	Dfnder windows.exe	Dfnder windows.exe
PID 4712 wrote to memory of 4292	4712	Dfnder windows.exe	Dfnder windows.exe
PID 4712 wrote to memory of 4292	4712	Dfnder windows.exe	Dfnder windows.exe
PID 4712 wrote to memory of 4292	4712	Dfnder windows.exe	Dfnder windows.exe
PID 4712 wrote to memory of 4292	4712	Dfnder windows.exe	Dfnder windows.exe
PID 4292 wrote to memory of 2172	4292	Dfnder windows.exe	cmd.exe
PID 4292 wrote to memory of 2172	4292	Dfnder windows.exe	cmd.exe
PID 4292 wrote to memory of 2172	4292	Dfnder windows.exe	cmd.exe
PID 2172 wrote to memory of 508	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 508	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 508	2172	cmd.exe	powershell.exe
PID 508 wrote to memory of 4972	508	powershell.exe	pxjvhi.exe
PID 508 wrote to memory of 4972	508	powershell.exe	pxjvhi.exe
PID 508 wrote to memory of 4972	508	powershell.exe	pxjvhi.exe

C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE
"C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE
"C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Dfnder windows" /tr '"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Dfnder windows" /tr '"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"'
4⤵
- Creates scheduled task(s)
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6D08.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4588

C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe" -Force
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe" -Force
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe" -Force
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Dfnder windows.exe" -Force
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe"' & exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe"'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508

C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe
"C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe"
8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pxjvhi.exe" -Force
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pxjvhi.exe" -Force
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pxjvhi.exe" -Force
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe" -Force
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe
"C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dfnder windows.exe.log
MD5
f99aea5f6c27b28f1947f9c0a3b1997e

SHA1
24bf9767fe9964eb1c24ebfe4f8bcd443c5b3f55

SHA256
03e142d8f7e350ba57b5db8861ddcb5a6ece9aeb54093d2a34ec7dcaadc4d454

SHA512
d9a6252e5848762fefdbc172eda0408a0f907a4a13c14fc9ef609066259981b446c0a087cf7d2196723cbdc9fe2528bd56068f2f6b56c6ac75136ee30fe40cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NON_DISC.EXE.log
MD5
f99aea5f6c27b28f1947f9c0a3b1997e

SHA1
24bf9767fe9964eb1c24ebfe4f8bcd443c5b3f55

SHA256
03e142d8f7e350ba57b5db8861ddcb5a6ece9aeb54093d2a34ec7dcaadc4d454

SHA512
d9a6252e5848762fefdbc172eda0408a0f907a4a13c14fc9ef609066259981b446c0a087cf7d2196723cbdc9fe2528bd56068f2f6b56c6ac75136ee30fe40cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8eb9fe73abdc80f1d7de816b112f50d1

SHA1
10f3741f1ea2446685463d45c08ebb64b0dc1424

SHA256
5ce1c1d0c274d116c5b0c421654448dab49054824fef293f8220b9346093be2c

SHA512
69924b71406c80b20f7cea0fe0bcdd43f6b0663006216a612c29952079a3480bc1e123c304d3f5e5bb05ca5be6ecd8721c228cf72c93eb218bac550c249a82d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1b15f07b52090d180adcd68bcff27205

SHA1
9ed313332a72b0b1b2388ab65ad8c974812a3a57

SHA256
1a52df3d7c5ce00e8a4d05bedf1eb5037665ed617adfe406ee286cf0ddf79942

SHA512
92563ca8b55515d945ea42917494b277d9b3b2a52dff21592c718ee67a17f2e0255819c6fcadc7e6b4120a710714cb899fbd36d57230879928c2797bb028dfd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e827d1cdd08a41246a3f4b7061caee0c

SHA1
c709bf6c3ac91bdcfab680a73bbc50450621bbdf

SHA256
6e23b4fc1fe6a76b3ac4519fdf6c78ab0e4151c57d3cc4661922976a135c787d

SHA512
fde84fcef9365ca7ecbbed37343f069cd81cc33c6c22c8cce4f11855a71c477004d2c477180bc45bcbfe5a45f7ecc5be8efa29f598770ff7a74e5af1bd8445d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d81adfe1d5f4fd8757d40afc82eeb5a9

SHA1
10267fc5b24eca9c5f495e9c5a081037cb38dd5e

SHA256
40a8c7f8fb9eab701fa875e9fb2af87004afac4fbcf3d6c4b2648d9357fba4f0

SHA512
c5901ae079c8b2e39af1d8fa40fd5ab79cac0eb0f3a18aa5a029aed99aeede2d66355ac300de416d0d8ee54dd66867cd407a0f21abf82797c2503867137bb894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9fdbde1d2067bcbd94ae70b5f50b01fb

SHA1
f5fe3626235520d6ef3c07e62af71c70522f616c

SHA256
298d6f3c9254cfaf143a79b6ae9b86fa88e02ae27efe5a66afd410ce6f5e75fe

SHA512
0e2f8053ff858e12fa19d68897a7d4ad87b9af7583c9c7043625429b522fef6fa796bc28962fb3af934d6e241686f516cbc13188b9ec3c0cd5a969964dc9e36d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
45489f73bd30d4681cf6993ccc11ece4

SHA1
269cf705f44a1220fea7e5273f5eb80159ab1521

SHA256
bde63e7fdc366b979dce7e0e082ba1a5edafc81eb5d6ce9a8f535c34f014fcde

SHA512
44f6df5a9c756daea95a114f25286a1e63e7f2c104a31a78288c1786e3de8e535763443ca5597d159f27ae21934d3685c4926b14410cd3c5faa45569b67fa79e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
45489f73bd30d4681cf6993ccc11ece4

SHA1
269cf705f44a1220fea7e5273f5eb80159ab1521

SHA256
bde63e7fdc366b979dce7e0e082ba1a5edafc81eb5d6ce9a8f535c34f014fcde

SHA512
44f6df5a9c756daea95a114f25286a1e63e7f2c104a31a78288c1786e3de8e535763443ca5597d159f27ae21934d3685c4926b14410cd3c5faa45569b67fa79e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
45489f73bd30d4681cf6993ccc11ece4

SHA1
269cf705f44a1220fea7e5273f5eb80159ab1521

SHA256
bde63e7fdc366b979dce7e0e082ba1a5edafc81eb5d6ce9a8f535c34f014fcde

SHA512
44f6df5a9c756daea95a114f25286a1e63e7f2c104a31a78288c1786e3de8e535763443ca5597d159f27ae21934d3685c4926b14410cd3c5faa45569b67fa79e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
63a6e2b54743ef9a91330ca704ce3731

SHA1
0aa576f4e98394b73cbd03f73675a5c11f53c018

SHA256
e170616987e9c6b322ed3f1879ad419390154b10221c4d15f4072a076571f027

SHA512
acf92b78f2b5ced5da2fb024550d1faa3fc3aac35fba40ec1ff6bfbcab44bc26365c0fcd60a824b06bde0cf62beb5648cd4968d7966c28c59f123587ea94869c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7e2a3dadb9cdde046044dafeb6cb4063

SHA1
65bfce36e750038fdaac1050e0061d2a0bd96342

SHA256
5e2afbaea90100f3fbe69c744cdaf8d6d132374adb3d8a4ced73e5ca001e5e8f

SHA512
7390daa172248d250ae81024b23b91a3a23820e82130d340c6093feae9608a5c8e5bb8cb4a01c538828f906257f1f54c878d9147d1e944ae14da26cbd8ad8516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a154fc61d943c9c0e9de17ccce969aa7

SHA1
92a2e903b550b985ebf39d7a97f2b9901b5a7c32

SHA256
7e895e646d19f776078157ae335c9661eba4b98a6d0c2409c8154df4f3b6d556

SHA512
886a426dbf4558140c2e280d3601df1ee9a0e312bf97d87644bfdae506a26b5e90157a674d44f930ea39a3e686c142a3f4ec8fd7c8ce0db58fd216a8a293b50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D08.tmp.bat
MD5
e9b4c7772fd1d2d1b4cd6c5616a021eb

SHA1
aa5a90ee0a76ff0562afdf411fd77a643ed5820f

SHA256
dbea7548498f111901474bec9477af33ae6f1e25f09ffc70aa27db0e43c79ed8

SHA512
33f5d38679801b15f3dc5d0a8bd4b9aa96b97475d96e25b37a7613b8764f55144e0d6d5f4d2de1798136d449c92b52ad4d25fe1db2e6da420cc3d289d0fb3570

Download Submit
C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
MD5
5a26073186d5cd797817ab71676082c1

SHA1
eba609ba96514ea94b9bf91f24ecf4b450c3faaf

SHA256
52bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396

SHA512
79c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1

Download Submit
C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
MD5
5a26073186d5cd797817ab71676082c1

SHA1
eba609ba96514ea94b9bf91f24ecf4b450c3faaf

SHA256
52bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396

SHA512
79c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1

Download Submit
C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
MD5
5a26073186d5cd797817ab71676082c1

SHA1
eba609ba96514ea94b9bf91f24ecf4b450c3faaf

SHA256
52bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396

SHA512
79c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\mozglue.dll
MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dll
MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/216-17-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/216-15-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/216-60-0x0000000009330000-0x0000000009363000-memory.dmp

Filesize
204KB

Download
memory/216-70-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download
memory/216-72-0x0000000009460000-0x0000000009461000-memory.dmp

Filesize
4KB

Download
memory/216-94-0x0000000009650000-0x0000000009651000-memory.dmp

Filesize
4KB

Download
memory/216-46-0x00000000083F0000-0x00000000083F1000-memory.dmp

Filesize
4KB

Download
memory/216-43-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/216-42-0x0000000007B20000-0x0000000007B21000-memory.dmp

Filesize
4KB

Download
memory/216-29-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/216-28-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/216-27-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/216-110-0x0000000009600000-0x0000000009601000-memory.dmp

Filesize
4KB

Download
memory/216-112-0x00000000095F0000-0x00000000095F1000-memory.dmp

Filesize
4KB

Download
memory/216-26-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/216-10-0x0000000000000000-mapping.dmp

Download
memory/216-13-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/508-285-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/508-270-0x0000000000000000-mapping.dmp

Download
memory/508-271-0x0000000000000000-mapping.dmp

Download
memory/508-272-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/508-284-0x0000000008A00000-0x0000000008A01000-memory.dmp

Filesize
4KB

Download
memory/556-23-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/556-14-0x0000000000000000-mapping.dmp

Download
memory/756-2-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/756-9-0x0000000005970000-0x0000000005991000-memory.dmp

Filesize
132KB

Download
memory/756-8-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/756-7-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/756-6-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/756-5-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/756-3-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1020-11-0x0000000000000000-mapping.dmp

Download
memory/1020-16-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/1336-50-0x000000000040C79E-mapping.dmp

Download
memory/1336-49-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1336-51-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-269-0x0000000000000000-mapping.dmp

Download
memory/2348-12-0x0000000000000000-mapping.dmp

Download
memory/2348-19-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/4044-301-0x0000000000000000-mapping.dmp

Download
memory/4044-308-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/4140-300-0x0000000000000000-mapping.dmp

Download
memory/4140-309-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/4280-298-0x0000000000000000-mapping.dmp

Download
memory/4280-303-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/4292-261-0x00000000069A0000-0x0000000006A19000-memory.dmp

Filesize
484KB

Download
memory/4292-262-0x0000000006B10000-0x0000000006B11000-memory.dmp

Filesize
4KB

Download
memory/4292-267-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/4292-268-0x0000000006BC0000-0x0000000006BDB000-memory.dmp

Filesize
108KB

Download
memory/4292-265-0x0000000006FD0000-0x000000000705D000-memory.dmp

Filesize
564KB

Download
memory/4292-179-0x000000000040C79E-mapping.dmp

Download
memory/4292-266-0x0000000007160000-0x00000000071B9000-memory.dmp

Filesize
356KB

Download
memory/4292-263-0x0000000006C10000-0x0000000006C11000-memory.dmp

Filesize
4KB

Download
memory/4292-264-0x0000000006B80000-0x0000000006B84000-memory.dmp

Filesize
16KB

Download
memory/4292-184-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/4316-302-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/4316-363-0x0000000009750000-0x0000000009751000-memory.dmp

Filesize
4KB

Download
memory/4316-299-0x0000000000000000-mapping.dmp

Download
memory/4472-104-0x0000000000000000-mapping.dmp

Download
memory/4484-105-0x0000000000000000-mapping.dmp

Download
memory/4556-107-0x0000000000000000-mapping.dmp

Download
memory/4588-109-0x0000000000000000-mapping.dmp

Download
memory/4660-321-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4660-322-0x000000000041A684-mapping.dmp

Download
memory/4660-325-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4712-134-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/4712-130-0x0000000000000000-mapping.dmp

Download
memory/4712-131-0x0000000000000000-mapping.dmp

Download
memory/4820-146-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/4820-142-0x0000000000000000-mapping.dmp

Download
memory/4820-163-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/4820-207-0x00000000093A0000-0x00000000093A1000-memory.dmp

Filesize
4KB

Download
memory/4840-147-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/4840-143-0x0000000000000000-mapping.dmp

Download
memory/4900-151-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/4900-144-0x0000000000000000-mapping.dmp

Download
memory/4960-145-0x0000000000000000-mapping.dmp

Download
memory/4960-155-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/4972-297-0x0000000005180000-0x00000000051B2000-memory.dmp

Filesize
200KB

Download
memory/4972-288-0x0000000000000000-mapping.dmp

Download
memory/4972-291-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4972-290-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download