bitrat | 56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

Analysis

max time kernel
593s
max time network
597s
platform
windows10-1703_x64
resource
win10-20220718-en
resource tags

arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
submitted
12-08-2022 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZMANHSYTGDH.exe
Size

300.0MB
MD5

a730bb7884d349d1ddc845d21836b94c
SHA1

fd6594a90a24130f8888fcf626450dd7d2aaaead
SHA256

56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32
SHA512

b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 9 IoCs

Processes:

kjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exe

pid process

4952 kjhgf.exe
3968 kjhgf.exe
4628 kjhgf.exe
2176 kjhgf.exe
528 kjhgf.exe
3932 kjhgf.exe
4020 kjhgf.exe
2348 kjhgf.exe
4476 kjhgf.exe

pid	process
4952	kjhgf.exe
3968	kjhgf.exe
4628	kjhgf.exe
2176	kjhgf.exe
528	kjhgf.exe
3932	kjhgf.exe
4020	kjhgf.exe
2348	kjhgf.exe
4476	kjhgf.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2516-250-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2516-301-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1044-490-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1044-530-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2612-707-0x0000000000500000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/776-900-0x0000000000570000-0x0000000000954000-memory.dmp	upx
behavioral2/memory/4776-1077-0x0000000000B40000-0x0000000000F24000-memory.dmp	upx
behavioral2/memory/3640-1268-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3640-1307-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4212-1485-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4212-1541-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4032-1717-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4032-1756-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4784-1949-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx
behavioral2/memory/4564-2126-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4564-2165-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

pid process

2516 RegAsm.exe
2516 RegAsm.exe
2516 RegAsm.exe
2516 RegAsm.exe
1044 RegAsm.exe
3640 RegAsm.exe
4212 RegAsm.exe
4032 RegAsm.exe
4564 RegAsm.exe

pid	process
2516	RegAsm.exe
2516	RegAsm.exe
2516	RegAsm.exe
2516	RegAsm.exe
1044	RegAsm.exe
3640	RegAsm.exe
4212	RegAsm.exe
4032	RegAsm.exe
4564	RegAsm.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

ZMANHSYTGDH.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exe

description	pid	process	target process
PID 2656 set thread context of 2516	2656	ZMANHSYTGDH.exe	RegAsm.exe
PID 4952 set thread context of 1044	4952	kjhgf.exe	RegAsm.exe
PID 3968 set thread context of 2612	3968	kjhgf.exe	RegAsm.exe
PID 4628 set thread context of 776	4628	kjhgf.exe	RegAsm.exe
PID 2176 set thread context of 4776	2176	kjhgf.exe	RegAsm.exe
PID 528 set thread context of 3640	528	kjhgf.exe	RegAsm.exe
PID 3932 set thread context of 4212	3932	kjhgf.exe	RegAsm.exe
PID 4020 set thread context of 4032	4020	kjhgf.exe	RegAsm.exe
PID 2348 set thread context of 4784	2348	kjhgf.exe	RegAsm.exe
PID 4476 set thread context of 4564	4476	kjhgf.exe	RegAsm.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3800	2612	WerFault.exe	RegAsm.exe
1056	776	WerFault.exe	RegAsm.exe
3976	4776	WerFault.exe	RegAsm.exe
4304	4784	WerFault.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1812	schtasks.exe
2656	schtasks.exe
220	schtasks.exe
4420	schtasks.exe
4444	schtasks.exe
3344	schtasks.exe
5112	schtasks.exe
2328	schtasks.exe
4092	schtasks.exe
3336	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeShutdownPrivilege	2516	RegAsm.exe
Token: SeShutdownPrivilege	1044	RegAsm.exe
Token: SeShutdownPrivilege	3640	RegAsm.exe
Token: SeShutdownPrivilege	4212	RegAsm.exe
Token: SeShutdownPrivilege	4032	RegAsm.exe
Token: SeShutdownPrivilege	4564	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

2516 RegAsm.exe
2516 RegAsm.exe

pid	process
2516	RegAsm.exe
2516	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ZMANHSYTGDH.execmd.exekjhgf.execmd.exekjhgf.execmd.exekjhgf.execmd.exe

description	pid	process	target process
PID 2656 wrote to memory of 4732	2656	ZMANHSYTGDH.exe	cmd.exe
PID 2656 wrote to memory of 4732	2656	ZMANHSYTGDH.exe	cmd.exe
PID 2656 wrote to memory of 4732	2656	ZMANHSYTGDH.exe	cmd.exe
PID 2656 wrote to memory of 2156	2656	ZMANHSYTGDH.exe	cmd.exe
PID 2656 wrote to memory of 2156	2656	ZMANHSYTGDH.exe	cmd.exe
PID 2656 wrote to memory of 2156	2656	ZMANHSYTGDH.exe	cmd.exe
PID 4732 wrote to memory of 5112	4732	cmd.exe	schtasks.exe
PID 4732 wrote to memory of 5112	4732	cmd.exe	schtasks.exe
PID 4732 wrote to memory of 5112	4732	cmd.exe	schtasks.exe
PID 2656 wrote to memory of 2516	2656	ZMANHSYTGDH.exe	RegAsm.exe
PID 2656 wrote to memory of 2516	2656	ZMANHSYTGDH.exe	RegAsm.exe
PID 2656 wrote to memory of 2516	2656	ZMANHSYTGDH.exe	RegAsm.exe
PID 2656 wrote to memory of 2516	2656	ZMANHSYTGDH.exe	RegAsm.exe
PID 2656 wrote to memory of 2516	2656	ZMANHSYTGDH.exe	RegAsm.exe
PID 2656 wrote to memory of 2516	2656	ZMANHSYTGDH.exe	RegAsm.exe
PID 2656 wrote to memory of 2516	2656	ZMANHSYTGDH.exe	RegAsm.exe
PID 4952 wrote to memory of 720	4952	kjhgf.exe	cmd.exe
PID 4952 wrote to memory of 720	4952	kjhgf.exe	cmd.exe
PID 4952 wrote to memory of 720	4952	kjhgf.exe	cmd.exe
PID 4952 wrote to memory of 1240	4952	kjhgf.exe	cmd.exe
PID 4952 wrote to memory of 1240	4952	kjhgf.exe	cmd.exe
PID 4952 wrote to memory of 1240	4952	kjhgf.exe	cmd.exe
PID 4952 wrote to memory of 1044	4952	kjhgf.exe	RegAsm.exe
PID 4952 wrote to memory of 1044	4952	kjhgf.exe	RegAsm.exe
PID 4952 wrote to memory of 1044	4952	kjhgf.exe	RegAsm.exe
PID 4952 wrote to memory of 1044	4952	kjhgf.exe	RegAsm.exe
PID 4952 wrote to memory of 1044	4952	kjhgf.exe	RegAsm.exe
PID 4952 wrote to memory of 1044	4952	kjhgf.exe	RegAsm.exe
PID 4952 wrote to memory of 1044	4952	kjhgf.exe	RegAsm.exe
PID 720 wrote to memory of 1812	720	cmd.exe	schtasks.exe
PID 720 wrote to memory of 1812	720	cmd.exe	schtasks.exe
PID 720 wrote to memory of 1812	720	cmd.exe	schtasks.exe
PID 3968 wrote to memory of 4184	3968	kjhgf.exe	cmd.exe
PID 3968 wrote to memory of 4184	3968	kjhgf.exe	cmd.exe
PID 3968 wrote to memory of 4184	3968	kjhgf.exe	cmd.exe
PID 3968 wrote to memory of 4212	3968	kjhgf.exe	cmd.exe
PID 3968 wrote to memory of 4212	3968	kjhgf.exe	cmd.exe
PID 3968 wrote to memory of 4212	3968	kjhgf.exe	cmd.exe
PID 3968 wrote to memory of 2612	3968	kjhgf.exe	RegAsm.exe
PID 3968 wrote to memory of 2612	3968	kjhgf.exe	RegAsm.exe
PID 3968 wrote to memory of 2612	3968	kjhgf.exe	RegAsm.exe
PID 3968 wrote to memory of 2612	3968	kjhgf.exe	RegAsm.exe
PID 4184 wrote to memory of 2656	4184	cmd.exe	schtasks.exe
PID 4184 wrote to memory of 2656	4184	cmd.exe	schtasks.exe
PID 4184 wrote to memory of 2656	4184	cmd.exe	schtasks.exe
PID 3968 wrote to memory of 2612	3968	kjhgf.exe	RegAsm.exe
PID 3968 wrote to memory of 2612	3968	kjhgf.exe	RegAsm.exe
PID 3968 wrote to memory of 2612	3968	kjhgf.exe	RegAsm.exe
PID 4628 wrote to memory of 2344	4628	kjhgf.exe	cmd.exe
PID 4628 wrote to memory of 2344	4628	kjhgf.exe	cmd.exe
PID 4628 wrote to memory of 2344	4628	kjhgf.exe	cmd.exe
PID 4628 wrote to memory of 2320	4628	kjhgf.exe	cmd.exe
PID 4628 wrote to memory of 2320	4628	kjhgf.exe	cmd.exe
PID 4628 wrote to memory of 2320	4628	kjhgf.exe	cmd.exe
PID 4628 wrote to memory of 776	4628	kjhgf.exe	RegAsm.exe
PID 4628 wrote to memory of 776	4628	kjhgf.exe	RegAsm.exe
PID 4628 wrote to memory of 776	4628	kjhgf.exe	RegAsm.exe
PID 4628 wrote to memory of 776	4628	kjhgf.exe	RegAsm.exe
PID 4628 wrote to memory of 776	4628	kjhgf.exe	RegAsm.exe
PID 4628 wrote to memory of 776	4628	kjhgf.exe	RegAsm.exe
PID 4628 wrote to memory of 776	4628	kjhgf.exe	RegAsm.exe
PID 2344 wrote to memory of 2328	2344	cmd.exe	schtasks.exe
PID 2344 wrote to memory of 2328	2344	cmd.exe	schtasks.exe
PID 2344 wrote to memory of 2328	2344	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ZMANHSYTGDH.exe
"C:\Users\Admin\AppData\Local\Temp\ZMANHSYTGDH.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:5112

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\ZMANHSYTGDH.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
2⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1812

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
2⤵
PID:1240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2656

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
2⤵
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 552
3⤵
- Program crash
PID:3800

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2328

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
2⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 552
3⤵
- Program crash
PID:1056

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2176

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
2⤵
PID:4872

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4092

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
2⤵
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 556
3⤵
- Program crash
PID:3976

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:528

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
2⤵
PID:1852

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3336

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
2⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3932

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
2⤵
PID:4688

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4444

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
2⤵
PID:64

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4020

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
2⤵
PID:2764

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:220

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
2⤵
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2348

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
2⤵
PID:5112

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4420

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
2⤵
PID:3700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 552
3⤵
- Program crash
PID:4304

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4476

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
2⤵
PID:1492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3344

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
2⤵
PID:1444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kjhgf.exe.log
Filesize
609B

MD5
deb98222ed0d3bab59b1d35814f806ea

SHA1
468b7c7d5badca33180ef6dbcfd25ad2208341c3

SHA256
520792388aeaf195741ca07d09d1cd23dba77bc1a090de3d241676307112ba57

SHA512
a67d2effa0d7de86c567775b4235e47b2b7bf8a6d42d545873d86e6ea2e67c5c46436b4726b1716611252f244632ed5c996035b0a2cb660f549c33c3c32d367d

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
memory/64-1408-0x0000000000000000-mapping.dmp

Download
memory/220-1652-0x0000000000000000-mapping.dmp

Download
memory/720-412-0x0000000000000000-mapping.dmp

Download
memory/776-857-0x00000000007E2730-mapping.dmp

Download
memory/776-900-0x0000000000570000-0x0000000000954000-memory.dmp

Filesize
3.9MB

Download
memory/1044-490-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1044-507-0x0000000073CA0000-0x0000000073CDA000-memory.dmp

Filesize
232KB

Download
memory/1044-445-0x00000000007E2730-mapping.dmp

Download
memory/1044-530-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1240-413-0x0000000000000000-mapping.dmp

Download
memory/1444-2048-0x0000000000000000-mapping.dmp

Download
memory/1492-2047-0x0000000000000000-mapping.dmp

Download
memory/1812-425-0x0000000000000000-mapping.dmp

Download
memory/1852-1189-0x0000000000000000-mapping.dmp

Download
memory/2156-185-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2156-174-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2156-179-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2156-183-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2156-171-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2156-173-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2156-167-0x0000000000000000-mapping.dmp

Download
memory/2156-178-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2156-181-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2156-169-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2156-186-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2156-177-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-1191-0x0000000000000000-mapping.dmp

Download
memory/2320-824-0x0000000000000000-mapping.dmp

Download
memory/2328-837-0x0000000000000000-mapping.dmp

Download
memory/2344-823-0x0000000000000000-mapping.dmp

Download
memory/2516-1399-0x0000000070930000-0x000000007096A000-memory.dmp

Filesize
232KB

Download
memory/2516-1502-0x0000000073020000-0x000000007305A000-memory.dmp

Filesize
232KB

Download
memory/2516-742-0x0000000073020000-0x000000007305A000-memory.dmp

Filesize
232KB

Download
memory/2516-725-0x0000000073CA0000-0x0000000073CDA000-memory.dmp

Filesize
232KB

Download
memory/2516-724-0x0000000073770000-0x00000000737AA000-memory.dmp

Filesize
232KB

Download
memory/2516-2182-0x0000000073020000-0x000000007305A000-memory.dmp

Filesize
232KB

Download
memory/2516-2040-0x0000000070930000-0x000000007096A000-memory.dmp

Filesize
232KB

Download
memory/2516-623-0x0000000073CD0000-0x0000000073D0A000-memory.dmp

Filesize
232KB

Download
memory/2516-800-0x0000000070930000-0x000000007096A000-memory.dmp

Filesize
232KB

Download
memory/2516-611-0x0000000071300000-0x000000007133A000-memory.dmp

Filesize
232KB

Download
memory/2516-901-0x0000000071300000-0x000000007133A000-memory.dmp

Filesize
232KB

Download
memory/2516-605-0x0000000071300000-0x000000007133A000-memory.dmp

Filesize
232KB

Download
memory/2516-910-0x0000000073020000-0x000000007305A000-memory.dmp

Filesize
232KB

Download
memory/2516-959-0x0000000073770000-0x00000000737AA000-memory.dmp

Filesize
232KB

Download
memory/2516-976-0x0000000070930000-0x000000007096A000-memory.dmp

Filesize
232KB

Download
memory/2516-989-0x0000000070930000-0x000000007096A000-memory.dmp

Filesize
232KB

Download
memory/2516-1155-0x0000000070930000-0x000000007096A000-memory.dmp

Filesize
232KB

Download
memory/2516-547-0x0000000073CA0000-0x0000000073CDA000-memory.dmp

Filesize
232KB

Download
memory/2516-1320-0x0000000073020000-0x000000007305A000-memory.dmp

Filesize
232KB

Download
memory/2516-1341-0x0000000073020000-0x000000007305A000-memory.dmp

Filesize
232KB

Download
memory/2516-1398-0x0000000070930000-0x000000007096A000-memory.dmp

Filesize
232KB

Download
memory/2516-783-0x0000000073CA0000-0x0000000073CDA000-memory.dmp

Filesize
232KB

Download
memory/2516-1614-0x0000000070930000-0x000000007096A000-memory.dmp

Filesize
232KB

Download
memory/2516-1615-0x0000000073020000-0x000000007305A000-memory.dmp

Filesize
232KB

Download
memory/2516-1773-0x0000000073020000-0x000000007305A000-memory.dmp

Filesize
232KB

Download
memory/2516-1774-0x0000000073020000-0x000000007305A000-memory.dmp

Filesize
232KB

Download
memory/2516-1791-0x0000000073020000-0x000000007305A000-memory.dmp

Filesize
232KB

Download
memory/2516-1832-0x0000000073020000-0x000000007305A000-memory.dmp

Filesize
232KB

Download
memory/2516-1845-0x0000000070930000-0x000000007096A000-memory.dmp

Filesize
232KB

Download
memory/2516-197-0x00000000007E2730-mapping.dmp

Download
memory/2516-250-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-280-0x0000000073CD0000-0x0000000073D0A000-memory.dmp

Filesize
232KB

Download
memory/2516-301-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-303-0x0000000073CA0000-0x0000000073CDA000-memory.dmp

Filesize
232KB

Download
memory/2516-318-0x0000000073CA0000-0x0000000073CDA000-memory.dmp

Filesize
232KB

Download
memory/2516-2014-0x0000000070930000-0x000000007096A000-memory.dmp

Filesize
232KB

Download
memory/2516-2023-0x0000000073020000-0x000000007305A000-memory.dmp

Filesize
232KB

Download
memory/2516-381-0x0000000073CA0000-0x0000000073CDA000-memory.dmp

Filesize
232KB

Download
memory/2516-393-0x0000000071300000-0x000000007133A000-memory.dmp

Filesize
232KB

Download
memory/2612-664-0x00000000007E2730-mapping.dmp

Download
memory/2612-707-0x0000000000500000-0x00000000008E4000-memory.dmp

Filesize
3.9MB

Download
memory/2656-159-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-130-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-118-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-119-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-120-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-121-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-122-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-175-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-123-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-124-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-125-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-126-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-127-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-644-0x0000000000000000-mapping.dmp

Download
memory/2656-164-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-163-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-162-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-161-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-160-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-117-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-158-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/2656-157-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-156-0x0000000005CC0000-0x00000000061BE000-memory.dmp

Filesize
5.0MB

Download
memory/2656-155-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-154-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-153-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-152-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-151-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-150-0x0000000000ED0000-0x0000000001078000-memory.dmp

Filesize
1.7MB

Download
memory/2656-149-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-148-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-147-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-146-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-128-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-129-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-131-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-132-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-133-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-145-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-144-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-143-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-142-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-134-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-135-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-136-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-137-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-141-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-140-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-139-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-138-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-1638-0x0000000000000000-mapping.dmp

Download
memory/3336-1203-0x0000000000000000-mapping.dmp

Download
memory/3344-2061-0x0000000000000000-mapping.dmp

Download
memory/3640-1268-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3640-1223-0x00000000007E2730-mapping.dmp

Download
memory/3640-1307-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3700-1874-0x0000000000000000-mapping.dmp

Download
memory/3764-1640-0x0000000000000000-mapping.dmp

Download
memory/4032-1756-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4032-1717-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4032-1672-0x00000000007E2730-mapping.dmp

Download
memory/4092-1014-0x0000000000000000-mapping.dmp

Download
memory/4184-630-0x0000000000000000-mapping.dmp

Download
memory/4212-1541-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4212-1485-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4212-1440-0x00000000007E2730-mapping.dmp

Download
memory/4212-631-0x0000000000000000-mapping.dmp

Download
memory/4420-1886-0x0000000000000000-mapping.dmp

Download
memory/4444-1420-0x0000000000000000-mapping.dmp

Download
memory/4564-2081-0x00000000007E2730-mapping.dmp

Download
memory/4564-2165-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4564-2126-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4688-1406-0x0000000000000000-mapping.dmp

Download
memory/4732-1001-0x0000000000000000-mapping.dmp

Download
memory/4732-165-0x0000000000000000-mapping.dmp

Download
memory/4732-176-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4732-170-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4732-172-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4732-166-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4732-168-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4776-1077-0x0000000000B40000-0x0000000000F24000-memory.dmp

Filesize
3.9MB

Download
memory/4776-1034-0x00000000007E2730-mapping.dmp

Download
memory/4784-1949-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/4784-1906-0x00000000007E2730-mapping.dmp

Download
memory/4872-1000-0x0000000000000000-mapping.dmp

Download
memory/5112-180-0x0000000000000000-mapping.dmp

Download
memory/5112-182-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/5112-1872-0x0000000000000000-mapping.dmp

Download
memory/5112-184-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download