asyncrat | e441a0b3219c4844b20782d395d3132d7d5459cf9625a8dffd13ffbbd8d621dc

Analysis

max time kernel
27s
max time network
146s
platform
windows10_x64
resource
win10-en-20211014
submitted
23-10-2021 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e441a0b3.exe
Size

124KB
MD5

6c3143f9141f1fcd12ee35dfd7f7c5c6
SHA1

dd57207bc55b7137ab84c9c7d9ce2a800671f24a
SHA256

e441a0b3219c4844b20782d395d3132d7d5459cf9625a8dffd13ffbbd8d621dc
SHA512

90640764a8b2f36cdddc00790f8afbe6ccd940078ec1ad7a031fed5de0a3d2fce617e59f5de7c310effac6044f4e4c200fe7ab73cb1f508587ea71003add161f

Score

10^/10

asyncrat nanocore default evasion keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

sbdndbnb.duckdns.org:3040

Mutex

42c14bc9-0c03-49f5-a618-16e05d66d377

Attributes

activate_away_mode
true
backup_connection_host
sbdndbnb.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-07-09T21:43:24.855515336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3040
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
42c14bc9-0c03-49f5-a618-16e05d66d377
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
sbdndbnb.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

hpdndbnb.duckdns.org:2020

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
true
install_file
Dfnder windows.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2920-191-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/2920-193-0x000000000040C76E-mapping.dmp	asyncrat
behavioral2/memory/4172-1133-0x000000000040C76E-mapping.dmp	asyncrat

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7dc3e8ee-7995-449a-a6ca-56952ce3b335\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\7dc3e8ee-7995-449a-a6ca-56952ce3b335\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\7dc3e8ee-7995-449a-a6ca-56952ce3b335\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\d5af71ce-5576-4354-a7b8-827a32edda03\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\d5af71ce-5576-4354-a7b8-827a32edda03\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\d5af71ce-5576-4354-a7b8-827a32edda03\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeb8113c58-b9a4-4055-bee9-911703c3c212.exe

pid process

1588 AdvancedRun.exe
3528 AdvancedRun.exe
2168 b8113c58-b9a4-4055-bee9-911703c3c212.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

e441a0b3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	e441a0b3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	e441a0b3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	e441a0b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\컂캰캀캰캃캵캇캳캲캡캰캵캆캆캆\svchost.exe = "0"	e441a0b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e441a0b3.exe = "0"	e441a0b3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	e441a0b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	e441a0b3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	e441a0b3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	e441a0b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	e441a0b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	e441a0b3.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b8113c58-b9a4-4055-bee9-911703c3c212.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b8113c58-b9a4-4055-bee9-911703c3c212.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

e441a0b3.exe

pid	process
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e441a0b3.exe

description pid process target process

PID 2680 set thread context of 2920 2680 e441a0b3.exe e441a0b3.exe

description	pid	process	target process
PID 2680 set thread context of 2920	2680	e441a0b3.exe	e441a0b3.exe

Drops file in Windows directory 3 IoCs

Processes:

e441a0b3.exeWerFault.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\컂캰캀캰캃캵캇캳캲캡캰캵캆캆캆\svchost.exe	e441a0b3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\컂캰캀캰캃캵캇캳캲캡캰캵캆캆캆\svchost.exe	e441a0b3.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1608 2680 WerFault.exe e441a0b3.exe
4328 3888 WerFault.exe Dfnder windows.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

908 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

940 timeout.exe

pid	pid_target	process	target process
1608	2680	WerFault.exe	e441a0b3.exe
4328	3888	WerFault.exe	Dfnder windows.exe

pid	process
908	schtasks.exe

pid	process
940	timeout.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

AdvancedRun.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exee441a0b3.exepowershell.exeWerFault.exeb8113c58-b9a4-4055-bee9-911703c3c212.exee441a0b3.exe

pid	process
1588	AdvancedRun.exe
1588	AdvancedRun.exe
648	powershell.exe
1588	AdvancedRun.exe
1588	AdvancedRun.exe
3204	powershell.exe
2188	powershell.exe
3528	AdvancedRun.exe
3528	AdvancedRun.exe
3528	AdvancedRun.exe
3528	AdvancedRun.exe
2188	powershell.exe
648	powershell.exe
3204	powershell.exe
2188	powershell.exe
648	powershell.exe
3204	powershell.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
1700	powershell.exe
2680	e441a0b3.exe
2680	e441a0b3.exe
1700	powershell.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1700	powershell.exe
2168	b8113c58-b9a4-4055-bee9-911703c3c212.exe
2168	b8113c58-b9a4-4055-bee9-911703c3c212.exe
2168	b8113c58-b9a4-4055-bee9-911703c3c212.exe
2920	e441a0b3.exe
2920	e441a0b3.exe
2920	e441a0b3.exe
2920	e441a0b3.exe
2920	e441a0b3.exe
2920	e441a0b3.exe
2920	e441a0b3.exe
2920	e441a0b3.exe
2920	e441a0b3.exe
2920	e441a0b3.exe
2920	e441a0b3.exe
2920	e441a0b3.exe
2920	e441a0b3.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

e441a0b3.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exeWerFault.exeb8113c58-b9a4-4055-bee9-911703c3c212.exee441a0b3.exe

description	pid	process
Token: SeDebugPrivilege	2680	e441a0b3.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	1588	AdvancedRun.exe
Token: SeImpersonatePrivilege	1588	AdvancedRun.exe
Token: SeDebugPrivilege	3528	AdvancedRun.exe
Token: SeImpersonatePrivilege	3528	AdvancedRun.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeRestorePrivilege	1608	WerFault.exe
Token: SeBackupPrivilege	1608	WerFault.exe
Token: SeBackupPrivilege	1608	WerFault.exe
Token: SeDebugPrivilege	1608	WerFault.exe
Token: SeDebugPrivilege	2168	b8113c58-b9a4-4055-bee9-911703c3c212.exe
Token: SeDebugPrivilege	2920	e441a0b3.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

e441a0b3.exeAdvancedRun.exee441a0b3.execmd.exepowershell.exe

description	pid	process	target process
PID 2680 wrote to memory of 3204	2680	e441a0b3.exe	powershell.exe
PID 2680 wrote to memory of 3204	2680	e441a0b3.exe	powershell.exe
PID 2680 wrote to memory of 3204	2680	e441a0b3.exe	powershell.exe
PID 2680 wrote to memory of 648	2680	e441a0b3.exe	powershell.exe
PID 2680 wrote to memory of 648	2680	e441a0b3.exe	powershell.exe
PID 2680 wrote to memory of 648	2680	e441a0b3.exe	powershell.exe
PID 2680 wrote to memory of 2188	2680	e441a0b3.exe	powershell.exe
PID 2680 wrote to memory of 2188	2680	e441a0b3.exe	powershell.exe
PID 2680 wrote to memory of 2188	2680	e441a0b3.exe	powershell.exe
PID 2680 wrote to memory of 1588	2680	e441a0b3.exe	AdvancedRun.exe
PID 2680 wrote to memory of 1588	2680	e441a0b3.exe	AdvancedRun.exe
PID 2680 wrote to memory of 1588	2680	e441a0b3.exe	AdvancedRun.exe
PID 1588 wrote to memory of 3528	1588	AdvancedRun.exe	AdvancedRun.exe
PID 1588 wrote to memory of 3528	1588	AdvancedRun.exe	AdvancedRun.exe
PID 1588 wrote to memory of 3528	1588	AdvancedRun.exe	AdvancedRun.exe
PID 2680 wrote to memory of 1700	2680	e441a0b3.exe	powershell.exe
PID 2680 wrote to memory of 1700	2680	e441a0b3.exe	powershell.exe
PID 2680 wrote to memory of 1700	2680	e441a0b3.exe	powershell.exe
PID 2680 wrote to memory of 2168	2680	e441a0b3.exe	b8113c58-b9a4-4055-bee9-911703c3c212.exe
PID 2680 wrote to memory of 2168	2680	e441a0b3.exe	b8113c58-b9a4-4055-bee9-911703c3c212.exe
PID 2680 wrote to memory of 2168	2680	e441a0b3.exe	b8113c58-b9a4-4055-bee9-911703c3c212.exe
PID 2680 wrote to memory of 2960	2680	e441a0b3.exe	e441a0b3.exe
PID 2680 wrote to memory of 2960	2680	e441a0b3.exe	e441a0b3.exe
PID 2680 wrote to memory of 2960	2680	e441a0b3.exe	e441a0b3.exe
PID 2680 wrote to memory of 2920	2680	e441a0b3.exe	e441a0b3.exe
PID 2680 wrote to memory of 2920	2680	e441a0b3.exe	e441a0b3.exe
PID 2680 wrote to memory of 2920	2680	e441a0b3.exe	e441a0b3.exe
PID 2680 wrote to memory of 2920	2680	e441a0b3.exe	e441a0b3.exe
PID 2680 wrote to memory of 2920	2680	e441a0b3.exe	e441a0b3.exe
PID 2680 wrote to memory of 2920	2680	e441a0b3.exe	e441a0b3.exe
PID 2680 wrote to memory of 2920	2680	e441a0b3.exe	e441a0b3.exe
PID 2680 wrote to memory of 2920	2680	e441a0b3.exe	e441a0b3.exe
PID 2920 wrote to memory of 640	2920	e441a0b3.exe	powershell.exe
PID 2920 wrote to memory of 640	2920	e441a0b3.exe	powershell.exe
PID 2920 wrote to memory of 640	2920	e441a0b3.exe	powershell.exe
PID 2920 wrote to memory of 752	2920	e441a0b3.exe	cmd.exe
PID 2920 wrote to memory of 752	2920	e441a0b3.exe	cmd.exe
PID 2920 wrote to memory of 752	2920	e441a0b3.exe	cmd.exe
PID 752 wrote to memory of 940	752	cmd.exe	timeout.exe
PID 752 wrote to memory of 940	752	cmd.exe	timeout.exe
PID 752 wrote to memory of 940	752	cmd.exe	timeout.exe
PID 640 wrote to memory of 908	640	powershell.exe	schtasks.exe
PID 640 wrote to memory of 908	640	powershell.exe	schtasks.exe
PID 640 wrote to memory of 908	640	powershell.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e441a0b3.exe
"C:\Users\Admin\AppData\Local\Temp\e441a0b3.exe"
1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\컂캰캀캰캃캵캇캳캲캡캰캵캆캆캆\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e441a0b3.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\컂캰캀캰캃캵캇캳캲캡캰캵캆캆캆\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Users\Admin\AppData\Local\Temp\7dc3e8ee-7995-449a-a6ca-56952ce3b335\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\7dc3e8ee-7995-449a-a6ca-56952ce3b335\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\7dc3e8ee-7995-449a-a6ca-56952ce3b335\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\7dc3e8ee-7995-449a-a6ca-56952ce3b335\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\7dc3e8ee-7995-449a-a6ca-56952ce3b335\AdvancedRun.exe" /SpecialRun 4101d8 1588
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e441a0b3.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Users\Admin\AppData\Local\Temp\b8113c58-b9a4-4055-bee9-911703c3c212.exe
"C:\Users\Admin\AppData\Local\Temp\b8113c58-b9a4-4055-bee9-911703c3c212.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Users\Admin\AppData\Local\Temp\e441a0b3.exe
"C:\Users\Admin\AppData\Local\Temp\e441a0b3.exe"
2⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\e441a0b3.exe
"C:\Users\Admin\AppData\Local\Temp\e441a0b3.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Dfnder windows" /tr '"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"' & exit
3⤵
PID:640

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Dfnder windows" /tr '"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"'
4⤵
- Creates scheduled task(s)
PID:908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1F6B.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:940

C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"
4⤵
PID:3888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\컂캰캀캰캃캵캇캳캲캡캰캵캆캆캆\svchost.exe" -Force
5⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Dfnder windows.exe" -Force
5⤵
PID:3580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\컂캰캀캰캃캵캇캳캲캡캰캵캆캆캆\svchost.exe" -Force
5⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\d5af71ce-5576-4354-a7b8-827a32edda03\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\d5af71ce-5576-4354-a7b8-827a32edda03\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d5af71ce-5576-4354-a7b8-827a32edda03\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
5⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\d5af71ce-5576-4354-a7b8-827a32edda03\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\d5af71ce-5576-4354-a7b8-827a32edda03\AdvancedRun.exe" /SpecialRun 4101d8 3680
6⤵
PID:3136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Dfnder windows.exe" -Force
5⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\10444468-308d-4b86-ad04-d416901cde7e.exe
"C:\Users\Admin\AppData\Local\Temp\10444468-308d-4b86-ad04-d416901cde7e.exe"
5⤵
PID:3724

C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"
5⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 2440
5⤵
- Program crash
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 2376
2⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
060f650dc54717a07e0267adaee83c2e

SHA1
747fd9a0b2850209f08997cca75c05c642e4a6fe

SHA256
d449a9c04f43955fcfb47bf5b8ae551b93991766b37f62991e7384c616023b1d

SHA512
ab8b2cc4892aefc593e4116c0d6e9b470615b89510f45e3f95e81db919a775b14153deadb2ef3c741a962fe4b13e94dd7c7934d78d40487e8f15a8ea70e7308c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d6665650bbbfe60a046efbd48959f26f

SHA1
4a8a10339ee3d82585a859726c1280a1902cf948

SHA256
2c569dd186803a5b50d71bad072e8bb915c74b5f54de4eb11d2de64519e22a05

SHA512
81eeef5d07e002939e5116db6d71debc1fbb387ad2fbbfce4b62778c890b787b24cb95ece1a274074674e8f33d135341ef74504f8e289b6fe1c35512cef8ef39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
388f33488783679b71e91adafec1e649

SHA1
d01c950604520706abb2e10393a821bd54dc5279

SHA256
91453628511909051a6ba6f333cd1ca932207f79764d079324771db10de465b0

SHA512
f5ef0e2a78cb1b12378be4fbf7e264ed5f7039e9a1a712fdc7846e4a14188a974167e7bc6ec0af4098c97130d921331f2f3fa54842a7776d93d1b1841f5042d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
388f33488783679b71e91adafec1e649

SHA1
d01c950604520706abb2e10393a821bd54dc5279

SHA256
91453628511909051a6ba6f333cd1ca932207f79764d079324771db10de465b0

SHA512
f5ef0e2a78cb1b12378be4fbf7e264ed5f7039e9a1a712fdc7846e4a14188a974167e7bc6ec0af4098c97130d921331f2f3fa54842a7776d93d1b1841f5042d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
388f33488783679b71e91adafec1e649

SHA1
d01c950604520706abb2e10393a821bd54dc5279

SHA256
91453628511909051a6ba6f333cd1ca932207f79764d079324771db10de465b0

SHA512
f5ef0e2a78cb1b12378be4fbf7e264ed5f7039e9a1a712fdc7846e4a14188a974167e7bc6ec0af4098c97130d921331f2f3fa54842a7776d93d1b1841f5042d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
388f33488783679b71e91adafec1e649

SHA1
d01c950604520706abb2e10393a821bd54dc5279

SHA256
91453628511909051a6ba6f333cd1ca932207f79764d079324771db10de465b0

SHA512
f5ef0e2a78cb1b12378be4fbf7e264ed5f7039e9a1a712fdc7846e4a14188a974167e7bc6ec0af4098c97130d921331f2f3fa54842a7776d93d1b1841f5042d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0d66030684499defbda8be1ba0ab4da6

SHA1
3821600d5b2b2cf27d08721c537840311f722368

SHA256
4409ab4bf998cf617c1957f11d5df8534e29c1b613d9b7dba9e0c77a54edc577

SHA512
71fe0d36dd5d21228e2607f233d1c43e175d7aec3d7aa7f76ba93921633a1cb4dcbeeadab681f8c0cd806121c2b25fa6cb4dff0a9efa549bbe257bf7f7d80f6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0d66030684499defbda8be1ba0ab4da6

SHA1
3821600d5b2b2cf27d08721c537840311f722368

SHA256
4409ab4bf998cf617c1957f11d5df8534e29c1b613d9b7dba9e0c77a54edc577

SHA512
71fe0d36dd5d21228e2607f233d1c43e175d7aec3d7aa7f76ba93921633a1cb4dcbeeadab681f8c0cd806121c2b25fa6cb4dff0a9efa549bbe257bf7f7d80f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444468-308d-4b86-ad04-d416901cde7e.exe
MD5
91e82a5226381ca82df6daf0f419d77b

SHA1
a255a3a516db3100572ca1455fce30c2f44f8b48

SHA256
3ddf4caa81f3fe583299a5342825db0904d4e11d42800e7cb79c7a215f64ab1f

SHA512
84c5ab49a4ae4c3e3a2fdf6cf7c992fe1b91753c111ae2760cc030bee1db6037f14109871d7ef960e3254940dd18eec3ee6a6ec4c42f5da38f7391ad100b711d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444468-308d-4b86-ad04-d416901cde7e.exe
MD5
91e82a5226381ca82df6daf0f419d77b

SHA1
a255a3a516db3100572ca1455fce30c2f44f8b48

SHA256
3ddf4caa81f3fe583299a5342825db0904d4e11d42800e7cb79c7a215f64ab1f

SHA512
84c5ab49a4ae4c3e3a2fdf6cf7c992fe1b91753c111ae2760cc030bee1db6037f14109871d7ef960e3254940dd18eec3ee6a6ec4c42f5da38f7391ad100b711d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dc3e8ee-7995-449a-a6ca-56952ce3b335\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dc3e8ee-7995-449a-a6ca-56952ce3b335\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dc3e8ee-7995-449a-a6ca-56952ce3b335\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8113c58-b9a4-4055-bee9-911703c3c212.exe
MD5
91e82a5226381ca82df6daf0f419d77b

SHA1
a255a3a516db3100572ca1455fce30c2f44f8b48

SHA256
3ddf4caa81f3fe583299a5342825db0904d4e11d42800e7cb79c7a215f64ab1f

SHA512
84c5ab49a4ae4c3e3a2fdf6cf7c992fe1b91753c111ae2760cc030bee1db6037f14109871d7ef960e3254940dd18eec3ee6a6ec4c42f5da38f7391ad100b711d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8113c58-b9a4-4055-bee9-911703c3c212.exe
MD5
91e82a5226381ca82df6daf0f419d77b

SHA1
a255a3a516db3100572ca1455fce30c2f44f8b48

SHA256
3ddf4caa81f3fe583299a5342825db0904d4e11d42800e7cb79c7a215f64ab1f

SHA512
84c5ab49a4ae4c3e3a2fdf6cf7c992fe1b91753c111ae2760cc030bee1db6037f14109871d7ef960e3254940dd18eec3ee6a6ec4c42f5da38f7391ad100b711d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5af71ce-5576-4354-a7b8-827a32edda03\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5af71ce-5576-4354-a7b8-827a32edda03\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5af71ce-5576-4354-a7b8-827a32edda03\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F6B.tmp.bat
MD5
cdf0bd541d170699618de8fe5fa72682

SHA1
9adb38f2989de95cdd4e20fab09cfd4a70891fe2

SHA256
388e747b7dd080a5b27e7f6f10360d4bbbea58c83f56fa388f4946f60e8f9542

SHA512
c33e96c2ffeb0dde1312ff4a98ac2e85dc85f00f0536571e752385d86f788c063926ea5a28c587b8a21aa115f81983494ab2012dd817fd69ed809196637a77c5

Download Submit
C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
MD5
6c3143f9141f1fcd12ee35dfd7f7c5c6

SHA1
dd57207bc55b7137ab84c9c7d9ce2a800671f24a

SHA256
e441a0b3219c4844b20782d395d3132d7d5459cf9625a8dffd13ffbbd8d621dc

SHA512
90640764a8b2f36cdddc00790f8afbe6ccd940078ec1ad7a031fed5de0a3d2fce617e59f5de7c310effac6044f4e4c200fe7ab73cb1f508587ea71003add161f

Download Submit
C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
MD5
6c3143f9141f1fcd12ee35dfd7f7c5c6

SHA1
dd57207bc55b7137ab84c9c7d9ce2a800671f24a

SHA256
e441a0b3219c4844b20782d395d3132d7d5459cf9625a8dffd13ffbbd8d621dc

SHA512
90640764a8b2f36cdddc00790f8afbe6ccd940078ec1ad7a031fed5de0a3d2fce617e59f5de7c310effac6044f4e4c200fe7ab73cb1f508587ea71003add161f

Download Submit
C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
MD5
6c3143f9141f1fcd12ee35dfd7f7c5c6

SHA1
dd57207bc55b7137ab84c9c7d9ce2a800671f24a

SHA256
e441a0b3219c4844b20782d395d3132d7d5459cf9625a8dffd13ffbbd8d621dc

SHA512
90640764a8b2f36cdddc00790f8afbe6ccd940078ec1ad7a031fed5de0a3d2fce617e59f5de7c310effac6044f4e4c200fe7ab73cb1f508587ea71003add161f

Download Submit
memory/640-853-0x0000000000000000-mapping.dmp

Download
memory/640-935-0x0000000006C82000-0x0000000006C83000-memory.dmp

Filesize
4KB

Download
memory/640-923-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/640-437-0x0000000000000000-mapping.dmp

Download
memory/640-1687-0x0000000006C83000-0x0000000006C84000-memory.dmp

Filesize
4KB

Download
memory/640-1295-0x000000007E4A0000-0x000000007E4A1000-memory.dmp

Filesize
4KB

Download
memory/648-137-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/648-170-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/648-142-0x00000000043F2000-0x00000000043F3000-memory.dmp

Filesize
4KB

Download
memory/648-146-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/648-229-0x000000007EE70000-0x000000007EE71000-memory.dmp

Filesize
4KB

Download
memory/648-125-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/648-127-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/648-122-0x0000000000000000-mapping.dmp

Download
memory/648-149-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/648-164-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/648-269-0x00000000043F3000-0x00000000043F4000-memory.dmp

Filesize
4KB

Download
memory/752-442-0x0000000000000000-mapping.dmp

Download
memory/908-508-0x0000000000000000-mapping.dmp

Download
memory/940-507-0x0000000000000000-mapping.dmp

Download
memory/1520-867-0x0000000000000000-mapping.dmp

Download
memory/1520-1699-0x0000000004B03000-0x0000000004B04000-memory.dmp

Filesize
4KB

Download
memory/1520-933-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1520-944-0x0000000004B02000-0x0000000004B03000-memory.dmp

Filesize
4KB

Download
memory/1520-1334-0x000000007E930000-0x000000007E931000-memory.dmp

Filesize
4KB

Download
memory/1524-1089-0x0000000000000000-mapping.dmp

Download
memory/1524-1183-0x00000000042E2000-0x00000000042E3000-memory.dmp

Filesize
4KB

Download
memory/1524-1155-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/1524-1691-0x00000000042E3000-0x00000000042E4000-memory.dmp

Filesize
4KB

Download
memory/1588-144-0x0000000000000000-mapping.dmp

Download
memory/1700-178-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1700-215-0x0000000006932000-0x0000000006933000-memory.dmp

Filesize
4KB

Download
memory/1700-181-0x0000000006930000-0x0000000006931000-memory.dmp

Filesize
4KB

Download
memory/1700-391-0x000000007EEF0000-0x000000007EEF1000-memory.dmp

Filesize
4KB

Download
memory/1700-471-0x0000000006933000-0x0000000006934000-memory.dmp

Filesize
4KB

Download
memory/1700-177-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1700-176-0x0000000000000000-mapping.dmp

Download
memory/2168-180-0x0000000000000000-mapping.dmp

Download
memory/2168-219-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/2188-134-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/2188-131-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/2188-140-0x0000000007202000-0x0000000007203000-memory.dmp

Filesize
4KB

Download
memory/2188-172-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/2188-222-0x000000007F660000-0x000000007F661000-memory.dmp

Filesize
4KB

Download
memory/2188-138-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/2188-161-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/2188-153-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/2188-278-0x0000000007203000-0x0000000007204000-memory.dmp

Filesize
4KB

Download
memory/2188-123-0x0000000000000000-mapping.dmp

Download
memory/2188-130-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/2188-129-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/2680-128-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/2680-120-0x0000000008090000-0x0000000008091000-memory.dmp

Filesize
4KB

Download
memory/2680-119-0x0000000006710000-0x00000000067FE000-memory.dmp

Filesize
952KB

Download
memory/2680-118-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2680-117-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/2680-115-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2680-143-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/2920-274-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/2920-191-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2920-193-0x000000000040C76E-mapping.dmp

Download
memory/3136-950-0x0000000000000000-mapping.dmp

Download
memory/3204-171-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/3204-167-0x0000000008B50000-0x0000000008B51000-memory.dmp

Filesize
4KB

Download
memory/3204-121-0x0000000000000000-mapping.dmp

Download
memory/3204-139-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/3204-156-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/3204-272-0x0000000007403000-0x0000000007404000-memory.dmp

Filesize
4KB

Download
memory/3204-226-0x000000007ECB0000-0x000000007ECB1000-memory.dmp

Filesize
4KB

Download
memory/3204-124-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/3204-141-0x0000000007402000-0x0000000007403000-memory.dmp

Filesize
4KB

Download
memory/3204-126-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/3528-159-0x0000000000000000-mapping.dmp

Download
memory/3580-1678-0x0000000007383000-0x0000000007384000-memory.dmp

Filesize
4KB

Download
memory/3580-940-0x0000000007382000-0x0000000007383000-memory.dmp

Filesize
4KB

Download
memory/3580-1329-0x000000007EAC0000-0x000000007EAC1000-memory.dmp

Filesize
4KB

Download
memory/3580-928-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/3580-859-0x0000000000000000-mapping.dmp

Download
memory/3680-895-0x0000000000000000-mapping.dmp

Download
memory/3724-1114-0x0000000000000000-mapping.dmp

Download
memory/3724-1129-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/3888-687-0x0000000000000000-mapping.dmp

Download
memory/3888-729-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/4172-1133-0x000000000040C76E-mapping.dmp

Download
memory/4172-1210-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download