asyncrat | hxxps://mega[.]nz/file/DV9kgRKB#MR2VDztaRN-tiEpXXTHe4CrLJGQxUGTyKxBv6VpL2qU

Analysis

max time kernel
204s
max time network
206s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
09-10-2022 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/DV9kgRKB#MR2VDztaRN-tiEpXXTHe4CrLJGQxUGTyKxBv6VpL2qU

Score

10^/10

asyncrat evasion rat themida trojan

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1744-162-0x0000000001000000-0x00000000021D5000-memory.dmp	asyncrat
behavioral1/memory/1744-163-0x0000000001000000-0x00000000021D5000-memory.dmp	asyncrat
behavioral1/memory/1744-175-0x0000000001000000-0x00000000021D5000-memory.dmp	asyncrat
behavioral1/memory/1744-191-0x0000000001000000-0x00000000021D5000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE	asyncrat
behavioral1/memory/4996-230-0x0000000000EE0000-0x0000000000EF2000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\svchost.exe	asyncrat
C:\Users\Admin\AppData\Roaming\svchost.exe	asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

SQLi Dumper_Cracked_By_Angeal.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SQLi Dumper_Cracked_By_Angeal.exe
Executes dropped EXE 4 IoCs

Processes:

SQLi Dumper_Cracked_By_Angeal.exeSQLI DUMPER_CRACKED_BY_ANGEAL.EXESVCHOST.EXEsvchost.exe

pid process

1744 SQLi Dumper_Cracked_By_Angeal.exe
4844 SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4996 SVCHOST.EXE
5108 svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SQLi Dumper_Cracked_By_Angeal.exe

pid	process
1744	SQLi Dumper_Cracked_By_Angeal.exe
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4996	SVCHOST.EXE
5108	svchost.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SQLi Dumper_Cracked_By_Angeal.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SQLi Dumper_Cracked_By_Angeal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SQLi Dumper_Cracked_By_Angeal.exe

Loads dropped DLL 6 IoCs

Processes:

SQLI DUMPER_CRACKED_BY_ANGEAL.EXE

pid	process
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\SQLi Dumper v.10.2\SQLi Dumper_Cracked_By_Angeal.exe	themida
behavioral1/memory/1744-131-0x0000000001000000-0x00000000021D5000-memory.dmp	themida
C:\Users\Admin\Downloads\SQLi Dumper v.10.2\SQLi Dumper_Cracked_By_Angeal.exe	themida
behavioral1/memory/1744-161-0x0000000001000000-0x00000000021D5000-memory.dmp	themida
behavioral1/memory/1744-162-0x0000000001000000-0x00000000021D5000-memory.dmp	themida
behavioral1/memory/1744-163-0x0000000001000000-0x00000000021D5000-memory.dmp	themida
behavioral1/memory/1744-175-0x0000000001000000-0x00000000021D5000-memory.dmp	themida
behavioral1/memory/1744-191-0x0000000001000000-0x00000000021D5000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SQLi Dumper_Cracked_By_Angeal.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SQLi Dumper_Cracked_By_Angeal.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

92 checkip.dyndns.org
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

SQLi Dumper_Cracked_By_Angeal.exe

pid process

1744 SQLi Dumper_Cracked_By_Angeal.exe

flow	ioc
92	checkip.dyndns.org

pid	process
1744	SQLi Dumper_Cracked_By_Angeal.exe

Drops file in Program Files directory 3 IoCs

Processes:

chrome.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\SQLi Dumper v.10.2\ChilkatDotNet46.dll	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\SQLi Dumper v.10.2\SkinSoft.VisualStyler.dll	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\SQLi Dumper v.10.2\SQLi Dumper_Cracked_By_Angeal.exe	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3724 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

904 timeout.exe

pid	process
3724	schtasks.exe

pid	process
904	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeSVCHOST.EXESQLI DUMPER_CRACKED_BY_ANGEAL.EXE

pid	process
4816	chrome.exe
4816	chrome.exe
2204	chrome.exe
2204	chrome.exe
744	chrome.exe
744	chrome.exe
4016	chrome.exe
4016	chrome.exe
5028	chrome.exe
4668	chrome.exe
4668	chrome.exe
5028	chrome.exe
1184	chrome.exe
1184	chrome.exe
96	chrome.exe
96	chrome.exe
412	chrome.exe
412	chrome.exe
2204	chrome.exe
2204	chrome.exe
756	chrome.exe
756	chrome.exe
4996	SVCHOST.EXE
4996	SVCHOST.EXE
4996	SVCHOST.EXE
4996	SVCHOST.EXE
4996	SVCHOST.EXE
4996	SVCHOST.EXE
4996	SVCHOST.EXE
4996	SVCHOST.EXE
4996	SVCHOST.EXE
4996	SVCHOST.EXE
4996	SVCHOST.EXE
4996	SVCHOST.EXE
4996	SVCHOST.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2204 chrome.exe
2204 chrome.exe
2204 chrome.exe
2204 chrome.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

AUDIODG.EXE7zG.exeSVCHOST.EXESQLI DUMPER_CRACKED_BY_ANGEAL.EXEsvchost.exe

description	pid	process
Token: 33	2276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2276	AUDIODG.EXE
Token: SeRestorePrivilege	3168	7zG.exe
Token: 35	3168	7zG.exe
Token: SeSecurityPrivilege	3168	7zG.exe
Token: SeSecurityPrivilege	3168	7zG.exe
Token: SeDebugPrivilege	4996	SVCHOST.EXE
Token: SeDebugPrivilege	4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
Token: SeDebugPrivilege	5108	svchost.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

chrome.exe7zG.exeSQLI DUMPER_CRACKED_BY_ANGEAL.EXE

pid	process
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
3168	7zG.exe
2204	chrome.exe
4844	SQLI DUMPER_CRACKED_BY_ANGEAL.EXE

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SQLI DUMPER_CRACKED_BY_ANGEAL.EXE

pid process

4844 SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844 SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
4844 SQLI DUMPER_CRACKED_BY_ANGEAL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2204 wrote to memory of 2352	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2352	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 1912	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4816	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4816	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4456	2204	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/DV9kgRKB#MR2VDztaRN-tiEpXXTHe4CrLJGQxUGTyKxBv6VpL2qU
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9dc954f50,0x7ff9dc954f60,0x7ff9dc954f70
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1768 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1576 /prefetch:2
2⤵
PID:1912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 /prefetch:8
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
2⤵
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
2⤵
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4152 /prefetch:8
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:8
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:8
2⤵
PID:3700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4612 /prefetch:8
2⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4500 /prefetch:8
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4104 /prefetch:8
2⤵
- Drops file in Program Files directory
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
2⤵
PID:968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:96

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,8316685161994799002,7850414772927629868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2604 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:756

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x290
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2212

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap26482:98:7zEvent6987
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3168

C:\Users\Admin\Downloads\SQLi Dumper v.10.2\SQLi Dumper_Cracked_By_Angeal.exe
"C:\Users\Admin\Downloads\SQLi Dumper v.10.2\SQLi Dumper_Cracked_By_Angeal.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1744

C:\Users\Admin\AppData\Local\Temp\SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
"C:\Users\Admin\AppData\Local\Temp\SQLI DUMPER_CRACKED_BY_ANGEAL.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
3⤵
PID:3876

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
4⤵
- Creates scheduled task(s)
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFCAF.tmp.bat""
3⤵
PID:1884

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:904

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
Filesize
522B

MD5
29ac3d31c772ba5e216f15cd6d85cd29

SHA1
45d682f8f9f8658e4b1c717782811f24b08be250

SHA256
82cb10a670e760c3159ae57f943dbd2b478727a9e82b307edd559e54ffad0f9d

SHA512
87403b70e4ba9a19f96eaef900cffe6769c3aa35d047cac26175f27ffbed8e625a8f8a12d191a6e63f75ef4b8b1bee2078f4659325a12d534d61427d58ceb8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChilkatDotNet46.dll
Filesize
7.3MB

MD5
ac3c6280175e2fa87a761b20dd75973e

SHA1
aed752549f9cc1e54ccd2cb21aabda355f2f9337

SHA256
a2152f98a37ef40ba8b411b1a061dc4fc503f20313cb1c0bbd3816e14f67a03a

SHA512
68ecd9221109d4e1bcc4b1d2baffff83d9fa62f5a6f9f1a58465bf534f2397c069f87f0768178c6d492a7d1a51e26d54b7497edc03882906e27577fecb7d5fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
Filesize
3.0MB

MD5
9d8b946ae008bc962015cdb436a648d2

SHA1
bdc46054530455e0d234f4fc23e8ff5781367b95

SHA256
49606c156c838db34e09a96369d0cb9c5097e9dbc6174bd6827c09af4365edf2

SHA512
c05fd8dc91edfb71665301613490f42b2095830cd11a55d5e1620e320f7ff78f906d6731206a01af1d01ed85e9292226e10548de6332d0fa739b6dcf7951b6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLI DUMPER_CRACKED_BY_ANGEAL.EXE
Filesize
3.0MB

MD5
9d8b946ae008bc962015cdb436a648d2

SHA1
bdc46054530455e0d234f4fc23e8ff5781367b95

SHA256
49606c156c838db34e09a96369d0cb9c5097e9dbc6174bd6827c09af4365edf2

SHA512
c05fd8dc91edfb71665301613490f42b2095830cd11a55d5e1620e320f7ff78f906d6731206a01af1d01ed85e9292226e10548de6332d0fa739b6dcf7951b6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
Filesize
45KB

MD5
3d6f7d26fe3d241616b2c4487d41c339

SHA1
26d311eff092c692a4af2a16d12709cf8945fab6

SHA256
fbceedf8a40ce3a3828b60cc158f755759d7905b54155de3cf2f34389b7161c1

SHA512
15bb307e6c85c323da7bef23b08cbb99b1f6542f8e01322324a6360e634fcce18994de5b0c181ff96c969da00bd0c114f47c74796058c164aa501982535c1233

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
Filesize
45KB

MD5
3d6f7d26fe3d241616b2c4487d41c339

SHA1
26d311eff092c692a4af2a16d12709cf8945fab6

SHA256
fbceedf8a40ce3a3828b60cc158f755759d7905b54155de3cf2f34389b7161c1

SHA512
15bb307e6c85c323da7bef23b08cbb99b1f6542f8e01322324a6360e634fcce18994de5b0c181ff96c969da00bd0c114f47c74796058c164aa501982535c1233

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkinSoft.VisualStyler.dll
Filesize
1004KB

MD5
d93366374b57b5a0fe3a1a8a1ca95f78

SHA1
e35d56efef3462897893f5a305f404a88ceefcc6

SHA256
14f231441dad16ef046ab97415c33195056a61b0240d7d890971e5f626068925

SHA512
782380533dfaf734a669e52ff7fdee64714c3ba354f24823c8b232b4af18631e237beba48e6d3ad0f5959dac5c82f93021e4923fd65be30834ffaacb14e25eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFCAF.tmp.bat
Filesize
151B

MD5
7a400e8b2f024de590b477500cc4bb49

SHA1
d596bc48ab3f1ecf6c7ca46ce2f3306929c1fd8d

SHA256
112331ab2ce1befd62dbd85c3e3eab141470eec1f60f2ad9acaf5994cb5d3ff6

SHA512
f182f0eafe5ed3c7aaebeb08de001b7d3d1db04582e8359fa1e600c44625a0428384ac0d579c357e215247c2b00649b9d4ccd5af6208259488945ee6769cf1a2

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
45KB

MD5
3d6f7d26fe3d241616b2c4487d41c339

SHA1
26d311eff092c692a4af2a16d12709cf8945fab6

SHA256
fbceedf8a40ce3a3828b60cc158f755759d7905b54155de3cf2f34389b7161c1

SHA512
15bb307e6c85c323da7bef23b08cbb99b1f6542f8e01322324a6360e634fcce18994de5b0c181ff96c969da00bd0c114f47c74796058c164aa501982535c1233

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
45KB

MD5
3d6f7d26fe3d241616b2c4487d41c339

SHA1
26d311eff092c692a4af2a16d12709cf8945fab6

SHA256
fbceedf8a40ce3a3828b60cc158f755759d7905b54155de3cf2f34389b7161c1

SHA512
15bb307e6c85c323da7bef23b08cbb99b1f6542f8e01322324a6360e634fcce18994de5b0c181ff96c969da00bd0c114f47c74796058c164aa501982535c1233

Download Submit
C:\Users\Admin\Downloads\SQLi Dumper v.10.2.rar
Filesize
9.8MB

MD5
df2f4ca7906ceee33c28df910cc2fd47

SHA1
b22d3a1d64dc49a2373288c435155237e2d53325

SHA256
79650f012de2bea5b38e99a50512ac2562a640c99a29b5edc9d5c6c175a03de7

SHA512
3157114c77dce58cda96e3e3dbe33ec5a108003503a3244ffbbaecd35ec6691342a11d5e41dbda5a048f18614c22e7784cc81c5699cc7a0b304ad8a443651c1c

Download Submit
C:\Users\Admin\Downloads\SQLi Dumper v.10.2\SQLi Dumper_Cracked_By_Angeal.exe
Filesize
7.6MB

MD5
2431e2206038bb0b8a52b301b83e4143

SHA1
afd1c0a4802ee4800c099b831174b3874bda5673

SHA256
fe88cf44e848e80284f7e1e7eb1633fb8c7fe5cce736c35b3519ed7de4d27ab1

SHA512
5b0d6c17db32db938c3fff0f1b2adb0850b682fd76a9f34987c021a53823ad90002dc3a268a39bc5e6663d307378edc4854c09229b6840cdc3bb8ec6ad19c28f

Download Submit
C:\Users\Admin\Downloads\SQLi Dumper v.10.2\SQLi Dumper_Cracked_By_Angeal.exe
Filesize
7.6MB

MD5
2431e2206038bb0b8a52b301b83e4143

SHA1
afd1c0a4802ee4800c099b831174b3874bda5673

SHA256
fe88cf44e848e80284f7e1e7eb1633fb8c7fe5cce736c35b3519ed7de4d27ab1

SHA512
5b0d6c17db32db938c3fff0f1b2adb0850b682fd76a9f34987c021a53823ad90002dc3a268a39bc5e6663d307378edc4854c09229b6840cdc3bb8ec6ad19c28f

Download Submit
\??\pipe\crashpad_2204_KESSSEVNFVFWNOUL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.4.0.0\x86\ssapihook.dll
Filesize
57KB

MD5
bb439bf268e538b714b0727f02945374

SHA1
53bf4afcc8ada3693d230ab4b66ce768878296e8

SHA256
d1334ae830ac3ec69f2ae63c16dae778e6b6af2ff9a6226e4336451a0a1ffd5b

SHA512
6167257c25e9da24dfcf223e8f4a7c438f3c02567531f5ca922e4e5330e14461d8ebe56822625b21286fa78a3b56b2940de8dfef1bee11b17e901472a7c03e34

Download Submit
\Users\Admin\AppData\Local\Temp\CHILKATDOTNET46.DLL
Filesize
7.3MB

MD5
ac3c6280175e2fa87a761b20dd75973e

SHA1
aed752549f9cc1e54ccd2cb21aabda355f2f9337

SHA256
a2152f98a37ef40ba8b411b1a061dc4fc503f20313cb1c0bbd3816e14f67a03a

SHA512
68ecd9221109d4e1bcc4b1d2baffff83d9fa62f5a6f9f1a58465bf534f2397c069f87f0768178c6d492a7d1a51e26d54b7497edc03882906e27577fecb7d5fd3

Download Submit
\Users\Admin\AppData\Local\Temp\CHILKATDOTNET46.DLL
Filesize
7.3MB

MD5
ac3c6280175e2fa87a761b20dd75973e

SHA1
aed752549f9cc1e54ccd2cb21aabda355f2f9337

SHA256
a2152f98a37ef40ba8b411b1a061dc4fc503f20313cb1c0bbd3816e14f67a03a

SHA512
68ecd9221109d4e1bcc4b1d2baffff83d9fa62f5a6f9f1a58465bf534f2397c069f87f0768178c6d492a7d1a51e26d54b7497edc03882906e27577fecb7d5fd3

Download Submit
\Users\Admin\AppData\Local\Temp\CHILKATDOTNET46.DLL
Filesize
7.3MB

MD5
ac3c6280175e2fa87a761b20dd75973e

SHA1
aed752549f9cc1e54ccd2cb21aabda355f2f9337

SHA256
a2152f98a37ef40ba8b411b1a061dc4fc503f20313cb1c0bbd3816e14f67a03a

SHA512
68ecd9221109d4e1bcc4b1d2baffff83d9fa62f5a6f9f1a58465bf534f2397c069f87f0768178c6d492a7d1a51e26d54b7497edc03882906e27577fecb7d5fd3

Download Submit
\Users\Admin\AppData\Local\Temp\SKINSOFT.VISUALSTYLER.DLL
Filesize
1004KB

MD5
d93366374b57b5a0fe3a1a8a1ca95f78

SHA1
e35d56efef3462897893f5a305f404a88ceefcc6

SHA256
14f231441dad16ef046ab97415c33195056a61b0240d7d890971e5f626068925

SHA512
782380533dfaf734a669e52ff7fdee64714c3ba354f24823c8b232b4af18631e237beba48e6d3ad0f5959dac5c82f93021e4923fd65be30834ffaacb14e25eb0

Download Submit
\Users\Admin\AppData\Local\Temp\SKINSOFT.VISUALSTYLER.DLL
Filesize
1004KB

MD5
d93366374b57b5a0fe3a1a8a1ca95f78

SHA1
e35d56efef3462897893f5a305f404a88ceefcc6

SHA256
14f231441dad16ef046ab97415c33195056a61b0240d7d890971e5f626068925

SHA512
782380533dfaf734a669e52ff7fdee64714c3ba354f24823c8b232b4af18631e237beba48e6d3ad0f5959dac5c82f93021e4923fd65be30834ffaacb14e25eb0

Download Submit
memory/904-376-0x0000000000000000-mapping.dmp

Download
memory/1744-171-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-137-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-144-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-145-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-146-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-147-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-148-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-149-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-150-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-151-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-152-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-153-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-154-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-155-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-156-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-157-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-158-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-159-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-160-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-161-0x0000000001000000-0x00000000021D5000-memory.dmp

Filesize
17.8MB

Download
memory/1744-162-0x0000000001000000-0x00000000021D5000-memory.dmp

Filesize
17.8MB

Download
memory/1744-163-0x0000000001000000-0x00000000021D5000-memory.dmp

Filesize
17.8MB

Download
memory/1744-164-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-165-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-166-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-167-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-168-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-169-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-170-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-143-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-172-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-173-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-174-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-175-0x0000000001000000-0x00000000021D5000-memory.dmp

Filesize
17.8MB

Download
memory/1744-125-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-126-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-127-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-128-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-129-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-130-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-131-0x0000000001000000-0x00000000021D5000-memory.dmp

Filesize
17.8MB

Download
memory/1744-191-0x0000000001000000-0x00000000021D5000-memory.dmp

Filesize
17.8MB

Download
memory/1744-132-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-134-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-135-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-141-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-140-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-136-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-142-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-138-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-139-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1884-337-0x0000000000000000-mapping.dmp

Download
memory/3724-350-0x0000000000000000-mapping.dmp

Download
memory/3876-333-0x0000000000000000-mapping.dmp

Download
memory/4844-262-0x0000000005300000-0x00000000057FE000-memory.dmp

Filesize
5.0MB

Download
memory/4844-180-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4844-176-0x0000000000000000-mapping.dmp

Download
memory/4844-259-0x0000000000280000-0x000000000057C000-memory.dmp

Filesize
3.0MB

Download
memory/4844-184-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4844-264-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/4844-265-0x0000000004EA0000-0x0000000004F3C000-memory.dmp

Filesize
624KB

Download
memory/4844-190-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4844-193-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4844-195-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4844-270-0x0000000005800000-0x0000000005F48000-memory.dmp

Filesize
7.3MB

Download
memory/4844-188-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4844-301-0x0000000006190000-0x000000000619A000-memory.dmp

Filesize
40KB

Download
memory/4844-186-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4844-316-0x000000000A650000-0x000000000A752000-memory.dmp

Filesize
1.0MB

Download
memory/4844-178-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-189-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-187-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-192-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-179-0x0000000000000000-mapping.dmp

Download
memory/4996-194-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-183-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-182-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-196-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-185-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-230-0x0000000000EE0000-0x0000000000EF2000-memory.dmp

Filesize
72KB

Download
memory/5108-435-0x0000000000000000-mapping.dmp

Download