asyncrat | 6d42060f990b9861982be51ef06c39b2c7b1bd8b4a06b36cf8434f70f44cce76

Analysis

max time kernel
298s
max time network
303s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
06-11-2022 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d42060f990b9861982be51ef06c39b2c7b1bd8b4a06b36cf8434f70f44cce76.exe
Size

1.8MB
MD5

06db507c42adffa90360eb3f16ba4814
SHA1

ea494b7ff319b10749b0baaad707bc841985f6c4
SHA256

6d42060f990b9861982be51ef06c39b2c7b1bd8b4a06b36cf8434f70f44cce76
SHA512

1f12901291e9bac11ad4d25200ff49c81f7fdd3b66787b10ec1dd1bb049823b1ef606dd8d949016fc7de0630794fa38131d3727f2f0f205d568037a758adbcf2
SSDEEP

49152:c0OB/3taBrb/TMvO90d7HjmAFd4A64nsfJ4LigXG/jpCeqBz1:I3417

Score

10^/10

asyncrat bitrat xenarmor new collection password persistence rat recovery spyware stealer trojan upx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7 - modded by last

Botnet

New

nicehash.at:4343

Mutex

adsasutex_qwqdanchun

Attributes

delay
1
install
true
install_file
GoogleDriver.exe
install_folder
%AppData%

aes.plain

Extracted

Family

bitrat

Version

1.38

nicehash.at:6000

Attributes

communication_password
005f16f264f006578c55237781f36898
install_dir
JavaHelper
install_file
Java.exe
tor_process
tor

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000001ac49-500.dat	acprotect
behavioral2/files/0x000600000001ac49-501.dat	acprotect

Async RAT payload 6 IoCs

rat

resource	yara_rule
behavioral2/files/0x000d00000001ac1f-270.dat	asyncrat
behavioral2/files/0x000d00000001ac1f-271.dat	asyncrat
behavioral2/memory/3808-272-0x000001F7AC170000-0x000001F7AC186000-memory.dmp	asyncrat
behavioral2/files/0x000a00000001ac20-280.dat	asyncrat
behavioral2/files/0x000a00000001ac20-279.dat	asyncrat
behavioral2/memory/1180-281-0x00000234F8470000-0x00000234F8490000-memory.dmp	asyncrat

Executes dropped EXE 5 IoCs

pid	Process
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
1180	GoogleDriver.exe
3920	bit.exe
3516	Java.exe
2096	Java.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000001ac28-298.dat	upx
behavioral2/files/0x000700000001ac28-304.dat	upx
behavioral2/memory/3920-313-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3920-341-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/files/0x000700000001ac28-409.dat	upx
behavioral2/memory/3516-412-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/3516-440-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/files/0x000700000001ac28-448.dat	upx
behavioral2/memory/3516-536-0x0000000000400000-0x00000000008DC000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
2096	Java.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Java.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe⠀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe︀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe\ueb00"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe欀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe관"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe需"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe缀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe℀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe开"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exeĀ"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe鼀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe褀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe瀀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe樀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exeᤀ"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe\uea00"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe鐀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe\ue500"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe刀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe匀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe였"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe䠀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe㸀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe␀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe頀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe倀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe케"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe\uab00"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe輀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe\uef00"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe伀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe稀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe\u0e00"	bit.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
3920	bit.exe
3920	bit.exe
3920	bit.exe
3920	bit.exe
3920	bit.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3920 set thread context of 3516	3920	bit.exe	99
PID 3516 set thread context of 2096	3516	Java.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1392	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
864	timeout.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2852	powershell.exe
2852	powershell.exe
2852	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4120	powershell.exe
4120	powershell.exe
4120	powershell.exe
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
520	powershell.exe
520	powershell.exe
520	powershell.exe
1180	GoogleDriver.exe
1180	GoogleDriver.exe
2096	Java.exe
2096	Java.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeIncreaseQuotaPrivilege	4692	powershell.exe
Token: SeSecurityPrivilege	4692	powershell.exe
Token: SeTakeOwnershipPrivilege	4692	powershell.exe
Token: SeLoadDriverPrivilege	4692	powershell.exe
Token: SeSystemProfilePrivilege	4692	powershell.exe
Token: SeSystemtimePrivilege	4692	powershell.exe
Token: SeProfSingleProcessPrivilege	4692	powershell.exe
Token: SeIncBasePriorityPrivilege	4692	powershell.exe
Token: SeCreatePagefilePrivilege	4692	powershell.exe
Token: SeBackupPrivilege	4692	powershell.exe
Token: SeRestorePrivilege	4692	powershell.exe
Token: SeShutdownPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeSystemEnvironmentPrivilege	4692	powershell.exe
Token: SeRemoteShutdownPrivilege	4692	powershell.exe
Token: SeUndockPrivilege	4692	powershell.exe
Token: SeManageVolumePrivilege	4692	powershell.exe
Token: 33	4692	powershell.exe
Token: 34	4692	powershell.exe
Token: 35	4692	powershell.exe
Token: 36	4692	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeIncreaseQuotaPrivilege	1756	powershell.exe
Token: SeSecurityPrivilege	1756	powershell.exe
Token: SeTakeOwnershipPrivilege	1756	powershell.exe
Token: SeLoadDriverPrivilege	1756	powershell.exe
Token: SeSystemProfilePrivilege	1756	powershell.exe
Token: SeSystemtimePrivilege	1756	powershell.exe
Token: SeProfSingleProcessPrivilege	1756	powershell.exe
Token: SeIncBasePriorityPrivilege	1756	powershell.exe
Token: SeCreatePagefilePrivilege	1756	powershell.exe
Token: SeBackupPrivilege	1756	powershell.exe
Token: SeRestorePrivilege	1756	powershell.exe
Token: SeShutdownPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeSystemEnvironmentPrivilege	1756	powershell.exe
Token: SeRemoteShutdownPrivilege	1756	powershell.exe
Token: SeUndockPrivilege	1756	powershell.exe
Token: SeManageVolumePrivilege	1756	powershell.exe
Token: 33	1756	powershell.exe
Token: 34	1756	powershell.exe
Token: 35	1756	powershell.exe
Token: 36	1756	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe
Token: SeDebugPrivilege	1180	GoogleDriver.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeShutdownPrivilege	3920	bit.exe
Token: SeDebugPrivilege	2096	Java.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3920	bit.exe
3920	bit.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2852	2452	6d42060f990b9861982be51ef06c39b2c7b1bd8b4a06b36cf8434f70f44cce76.exe	66
PID 2452 wrote to memory of 2852	2452	6d42060f990b9861982be51ef06c39b2c7b1bd8b4a06b36cf8434f70f44cce76.exe	66
PID 2852 wrote to memory of 3328	2852	powershell.exe	68
PID 2852 wrote to memory of 3328	2852	powershell.exe	68
PID 3328 wrote to memory of 4692	3328	cmd.exe	70
PID 3328 wrote to memory of 4692	3328	cmd.exe	70
PID 2452 wrote to memory of 4120	2452	6d42060f990b9861982be51ef06c39b2c7b1bd8b4a06b36cf8434f70f44cce76.exe	72
PID 2452 wrote to memory of 4120	2452	6d42060f990b9861982be51ef06c39b2c7b1bd8b4a06b36cf8434f70f44cce76.exe	72
PID 3328 wrote to memory of 4244	3328	cmd.exe	74
PID 3328 wrote to memory of 4244	3328	cmd.exe	74
PID 4120 wrote to memory of 4920	4120	powershell.exe	75
PID 4120 wrote to memory of 4920	4120	powershell.exe	75
PID 4920 wrote to memory of 1756	4920	cmd.exe	77
PID 4920 wrote to memory of 1756	4920	cmd.exe	77
PID 4920 wrote to memory of 4904	4920	cmd.exe	78
PID 4920 wrote to memory of 4904	4920	cmd.exe	78
PID 2452 wrote to memory of 4816	2452	6d42060f990b9861982be51ef06c39b2c7b1bd8b4a06b36cf8434f70f44cce76.exe	79
PID 2452 wrote to memory of 4816	2452	6d42060f990b9861982be51ef06c39b2c7b1bd8b4a06b36cf8434f70f44cce76.exe	79
PID 4816 wrote to memory of 4412	4816	powershell.exe	81
PID 4816 wrote to memory of 4412	4816	powershell.exe	81
PID 4412 wrote to memory of 3808	4412	cmd.exe	83
PID 4412 wrote to memory of 3808	4412	cmd.exe	83
PID 3808 wrote to memory of 3100	3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe	84
PID 3808 wrote to memory of 3100	3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe	84
PID 3808 wrote to memory of 700	3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe	86
PID 3808 wrote to memory of 700	3808	sqatyavkpcidpvwiialfnbdpawluusrm.exe	86
PID 3100 wrote to memory of 1392	3100	cmd.exe	88
PID 3100 wrote to memory of 1392	3100	cmd.exe	88
PID 700 wrote to memory of 864	700	cmd.exe	89
PID 700 wrote to memory of 864	700	cmd.exe	89
PID 700 wrote to memory of 1180	700	cmd.exe	90
PID 700 wrote to memory of 1180	700	cmd.exe	90
PID 1180 wrote to memory of 2104	1180	GoogleDriver.exe	92
PID 1180 wrote to memory of 2104	1180	GoogleDriver.exe	92
PID 2104 wrote to memory of 520	2104	cmd.exe	94
PID 2104 wrote to memory of 520	2104	cmd.exe	94
PID 520 wrote to memory of 3920	520	powershell.exe	95
PID 520 wrote to memory of 3920	520	powershell.exe	95
PID 520 wrote to memory of 3920	520	powershell.exe	95
PID 1180 wrote to memory of 2852	1180	GoogleDriver.exe	96
PID 1180 wrote to memory of 2852	1180	GoogleDriver.exe	96
PID 2852 wrote to memory of 4736	2852	cmd.exe	98
PID 2852 wrote to memory of 4736	2852	cmd.exe	98
PID 3920 wrote to memory of 3516	3920	bit.exe	99
PID 3920 wrote to memory of 3516	3920	bit.exe	99
PID 3920 wrote to memory of 3516	3920	bit.exe	99
PID 3920 wrote to memory of 3516	3920	bit.exe	99
PID 3920 wrote to memory of 3516	3920	bit.exe	99
PID 3920 wrote to memory of 3516	3920	bit.exe	99
PID 3920 wrote to memory of 3516	3920	bit.exe	99
PID 3920 wrote to memory of 3516	3920	bit.exe	99
PID 3516 wrote to memory of 2096	3516	Java.exe	100
PID 3516 wrote to memory of 2096	3516	Java.exe	100
PID 3516 wrote to memory of 2096	3516	Java.exe	100
PID 3516 wrote to memory of 2096	3516	Java.exe	100
PID 3516 wrote to memory of 2096	3516	Java.exe	100
PID 3516 wrote to memory of 2096	3516	Java.exe	100
PID 3516 wrote to memory of 2096	3516	Java.exe	100
PID 3516 wrote to memory of 2096	3516	Java.exe	100

C:\Users\Admin\AppData\Local\Temp\6d42060f990b9861982be51ef06c39b2c7b1bd8b4a06b36cf8434f70f44cce76.exe
"C:\Users\Admin\AppData\Local\Temp\6d42060f990b9861982be51ef06c39b2c7b1bd8b4a06b36cf8434f70f44cce76.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Process cmd \"/k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1\" -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath 'C:\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4692
  - - C:\Windows\system32\fsutil.exe
      fsutil file createnew C:\Users\Admin\AppData\Roaming\excluded.txt 1
      4⤵
      PID:4244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Process cmd \"/k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1\" -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath 'C:\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1756
  - - C:\Windows\system32\fsutil.exe
      fsutil file createnew C:\Users\Admin\AppData\Roaming\excluded.txt 1
      4⤵
      PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Process cmd \"/k start %AppData%\sqatyavkpcidpvwiialfnbdpawluusrm.exe\" -WindowStyle hidden"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k start %AppData%\sqatyavkpcidpvwiialfnbdpawluusrm.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Users\Admin\AppData\Roaming\sqatyavkpcidpvwiialfnbdpawluusrm.exe
      C:\Users\Admin\AppData\Roaming\sqatyavkpcidpvwiialfnbdpawluusrm.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3808
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3100
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:1392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C66.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:700
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:864
      - C:\Users\Admin\AppData\Roaming\GoogleDriver.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bit.exe"' & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bit.exe"'
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\bit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bit.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\JavaHelper\Java.exe
        
        -a "C:\Users\Admin\AppData\Local\f7283604\plg\LdxkDGqb.json"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\JavaHelper\Java.exe
        
        -a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook accounts
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"' & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"'
        8⤵
        
        PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JavaHelper\Java.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\Java.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\License.XenArmor

Filesize
104B

MD5
4f3bde9212e17ef18226866d6ac739b6

SHA1
732733bec8314beb81437e60876ffa75e72ae6cd

SHA256
212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

SHA512
10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\License.XenArmor

Filesize
104B

MD5
bf5da170f7c9a8eae88d1cb1a191ff80

SHA1
dd1b991a1b03587a5d1edc94e919a2070e325610

SHA256
e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

SHA512
9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
071c9082efde5735a4ad4a2507b0a1d8

SHA1
8bafbb51ccd52af252d228c0d8e56fd59ddb92d6

SHA256
ec1bddb43108f5e65b96032164b19acba2bc825ee5d33d70f0846a5d5099798c

SHA512
9d524aeb810394218c68710262b4bbae2bc79d8f1aa28de617c0fe518959c506dba711d5912c0a7bbc6547b498ed07dd0bf4e7f31967ed433e2ecefe6ab5f75f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27cf9d47447266824d69ca157a6ad83e

SHA1
5a17b7cb05665215911fa405f9db22f2716925b6

SHA256
710a1dcbbfd38ef0b82b5f44fe4288927c3230d9c5f473f15b23437657cc55e8

SHA512
8ccfc0f2af3e367c88c6a7ff5bd0934cc1da103459c3edd459e7bc64cdfe06af329c13baf75be23aff68e87b21de5416a059386daa743523191cf216763457ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27cf9d47447266824d69ca157a6ad83e

SHA1
5a17b7cb05665215911fa405f9db22f2716925b6

SHA256
710a1dcbbfd38ef0b82b5f44fe4288927c3230d9c5f473f15b23437657cc55e8

SHA512
8ccfc0f2af3e367c88c6a7ff5bd0934cc1da103459c3edd459e7bc64cdfe06af329c13baf75be23aff68e87b21de5416a059386daa743523191cf216763457ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f4787a9cf1352d5036e63aa6c15bb51

SHA1
8a1235cabd9d9cc36ab279a412c74b3d71c6f911

SHA256
1dd11a02b2ed93693fb3b792c4514ed5240c8f2b229b54117bbecbd8b7c284c4

SHA512
2c8a3bb09adaef9a13775088eb8c9ab28a69d23575ae38ea390318d1884914ed17956b444bc19ffea3283d0abd8baaa99f793f4356693ee044c9cf2ce934fdd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04104eb573a106f92504a3c05cd043a6

SHA1
e864b1d39b1deb92d5ab93fec69b5696c82575c4

SHA256
f16499d6df00336af1ac8c809fa64db940015e8a17cbe8185870bbbccc832518

SHA512
5cc1443097d3153624692aab7af5dd38dc8a14f032a819fcd317b396de6a18e66f3e05026233def6f5778cf2e9088ce6578ea95a405cd033c435140af5cfeace

Download Submit
C:\Users\Admin\AppData\Local\Temp\bit.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\bit.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C66.tmp.bat

Filesize
156B

MD5
766d6b5df7ebfddba739454754a14e66

SHA1
acb6803fffeea0eaa38cdb946dce562de52119cf

SHA256
bdf158a8102d30bdecfb7b95807dba50c9eb70a80da2f9fe146e8a758905eebf

SHA512
7d35f8005603e439f516d3cafc9973f698481baff956be7a8b18d6ad7d6b098bab1bbd5a8fa148f18a22d73586160e48e41ff47594a7d2d34c2546dd9930ca0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\unk.xml

Filesize
1KB

MD5
77e6621fd939338d3f19f3dd948ecf43

SHA1
53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

SHA256
9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

SHA512
6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

Download Submit
C:\Users\Admin\AppData\Local\f7283604\plg\LdxkDGqb.json

Filesize
1KB

MD5
77e6621fd939338d3f19f3dd948ecf43

SHA1
53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

SHA256
9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

SHA512
6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\sqatyavkpcidpvwiialfnbdpawluusrm.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\sqatyavkpcidpvwiialfnbdpawluusrm.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
\Users\Admin\AppData\Local\JavaHelper\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
memory/1180-281-0x00000234F8470000-0x00000234F8490000-memory.dmp

Filesize
128KB

Download
memory/1180-282-0x00000234F84D0000-0x00000234F84EE000-memory.dmp

Filesize
120KB

Download
memory/2096-510-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/2096-533-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/2096-458-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/2096-512-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/2096-532-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/2852-123-0x0000024255510000-0x0000024255532000-memory.dmp

Filesize
136KB

Download
memory/2852-127-0x0000024256000000-0x0000024256076000-memory.dmp

Filesize
472KB

Download
memory/3516-536-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/3516-440-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/3516-412-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/3808-272-0x000001F7AC170000-0x000001F7AC186000-memory.dmp

Filesize
88KB

Download
memory/3920-331-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-357-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-319-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-320-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-322-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-321-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-323-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-324-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-325-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-326-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-327-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-328-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-329-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-330-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-317-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-332-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-333-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-334-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-336-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-337-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-338-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-335-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-316-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-538-0x0000000073DC0000-0x0000000073DFA000-memory.dmp

Filesize
232KB

Download
memory/3920-341-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3920-342-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-343-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-344-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-345-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-346-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-347-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-349-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-348-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-350-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-351-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-352-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-353-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-354-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-355-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-318-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-356-0x0000000073DC0000-0x0000000073DFA000-memory.dmp

Filesize
232KB

Download
memory/3920-358-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-359-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-360-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-361-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-362-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-363-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-364-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-365-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-366-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-367-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-368-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-369-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-370-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-371-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-372-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-373-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-374-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-393-0x0000000073D90000-0x0000000073DCA000-memory.dmp

Filesize
232KB

Download
memory/3920-315-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-314-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-313-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3920-312-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-311-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-310-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-309-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-308-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-307-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-305-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download