njrat | d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

Analysis

max time kernel
185s
max time network
225s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
Size

151KB
MD5

8f84ba13287f7ee0c93789149019d804
SHA1

ed79b8478aa8616336e7611f2ba26ce49cc8e501
SHA256

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659
SHA512

4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa
SSDEEP

3072:tWudTyuuyrJ3BWIFUU99A5YzB/0V2DFP3IsS1PbQp+KQ:TiyrdrU498KpPrMbv

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

visichatrooms.no-ip.info:92

Mutex

8f804de644157aa7bac4cf1736c75287

Attributes

reg_key
8f804de644157aa7bac4cf1736c75287
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 7 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

2592 svchost.exe
4804 svchost.exe
2456 svchost.exe
2176 svchost.exe
1488 svchost.exe
3912 svchost.exe
2288 svchost.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

788 netsh.exe

pid	process
2592	svchost.exe
4804	svchost.exe
2456	svchost.exe
2176	svchost.exe
1488	svchost.exe
3912	svchost.exe
2288	svchost.exe

pid	process
788	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8f804de644157aa7bac4cf1736c75287.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8f804de644157aa7bac4cf1736c75287.exe	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\side = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\side.exe"	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\side = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\side.exe"	svchost.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe

Suspicious use of SetThreadContext 13 IoCs

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exesvchost.exe

description	pid	process	target process
PID 3616 set thread context of 1200	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 set thread context of 4020	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 2592 set thread context of 4804	2592	svchost.exe	svchost.exe
PID 3616 set thread context of 1144	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 2592 set thread context of 3912	2592	svchost.exe	svchost.exe
PID 2592 set thread context of 2288	2592	svchost.exe	svchost.exe
PID 3616 set thread context of 3332	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 set thread context of 1976	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 set thread context of 1536	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 set thread context of 1088	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 set thread context of 1752	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 set thread context of 4268	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 set thread context of 2488	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe

Drops file in Windows directory 3 IoCs

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
File created	C:\Windows\assembly\Desktop.ini	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe

pid	process
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
Token: SeDebugPrivilege	2592	svchost.exe
Token: SeDebugPrivilege	2288	svchost.exe
Token: 33	2288	svchost.exe
Token: SeIncBasePriorityPrivilege	2288	svchost.exe
Token: 33	2288	svchost.exe
Token: SeIncBasePriorityPrivilege	2288	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exed371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exesvchost.exe

description	pid	process	target process
PID 3616 wrote to memory of 2448	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 3616 wrote to memory of 2448	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 3616 wrote to memory of 2448	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 3616 wrote to memory of 4092	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 3616 wrote to memory of 4092	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 3616 wrote to memory of 4092	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 3616 wrote to memory of 1200	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 1200	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 1200	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 1200	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 1200	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 1200	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 1200	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 1200	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1200 wrote to memory of 2592	1200	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	svchost.exe
PID 1200 wrote to memory of 2592	1200	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	svchost.exe
PID 1200 wrote to memory of 2592	1200	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	svchost.exe
PID 3616 wrote to memory of 4044	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 4044	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 4044	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 2592 wrote to memory of 3260	2592	svchost.exe	CMD.exe
PID 2592 wrote to memory of 3260	2592	svchost.exe	CMD.exe
PID 2592 wrote to memory of 3260	2592	svchost.exe	CMD.exe
PID 3616 wrote to memory of 4020	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 4020	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 4020	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 4020	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 4020	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 4020	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 4020	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 4020	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 2592 wrote to memory of 4252	2592	svchost.exe	CMD.exe
PID 2592 wrote to memory of 4252	2592	svchost.exe	CMD.exe
PID 2592 wrote to memory of 4252	2592	svchost.exe	CMD.exe
PID 2592 wrote to memory of 4804	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 4804	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 4804	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 4804	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 4804	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 4804	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 4804	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 4804	2592	svchost.exe	svchost.exe
PID 3616 wrote to memory of 1144	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 1144	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 1144	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 2592 wrote to memory of 2456	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 2456	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 2456	2592	svchost.exe	svchost.exe
PID 3616 wrote to memory of 1144	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 1144	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 1144	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 1144	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 3616 wrote to memory of 1144	3616	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 2592 wrote to memory of 2176	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 2176	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 2176	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 1488	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 1488	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 1488	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 3912	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 3912	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 3912	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 3912	2592	svchost.exe	svchost.exe
PID 2592 wrote to memory of 3912	2592	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:2448

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\CMD.exe
"CMD"
4⤵
PID:3260

C:\Windows\SysWOW64\CMD.exe
"CMD"
4⤵
PID:4252

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Executes dropped EXE
PID:4804

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Executes dropped EXE
PID:2456

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Executes dropped EXE
PID:2176

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Executes dropped EXE
PID:1488

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Executes dropped EXE
PID:3912

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:788

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:2488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe.log
Filesize
319B

MD5
91046f2e147049d3e53cd9bf9d4d95ed

SHA1
228e347d062840b2edcbd16904475aacad414c62

SHA256
ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc

SHA512
071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log
Filesize
319B

MD5
91046f2e147049d3e53cd9bf9d4d95ed

SHA1
228e347d062840b2edcbd16904475aacad414c62

SHA256
ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc

SHA512
071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\side.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\side.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
memory/788-189-0x0000000000000000-mapping.dmp

Download
memory/1088-202-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1088-201-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1088-199-0x0000000000000000-mapping.dmp

Download
memory/1144-180-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1144-174-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1144-162-0x0000000000000000-mapping.dmp

Download
memory/1200-144-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1200-140-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1200-139-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1200-138-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1200-137-0x0000000000000000-mapping.dmp

Download
memory/1488-168-0x0000000000000000-mapping.dmp

Download
memory/1536-195-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1536-196-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1536-193-0x0000000000000000-mapping.dmp

Download
memory/1752-204-0x0000000000000000-mapping.dmp

Download
memory/1752-206-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1752-207-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1976-191-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1976-188-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1976-186-0x0000000000000000-mapping.dmp

Download
memory/2176-166-0x0000000000000000-mapping.dmp

Download
memory/2288-181-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2288-190-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2288-177-0x0000000000000000-mapping.dmp

Download
memory/2448-133-0x0000000000000000-mapping.dmp

Download
memory/2448-192-0x0000000000000000-mapping.dmp

Download
memory/2456-163-0x0000000000000000-mapping.dmp

Download
memory/2488-213-0x0000000000000000-mapping.dmp

Download
memory/2592-152-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2592-155-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2592-141-0x0000000000000000-mapping.dmp

Download
memory/2692-197-0x0000000000000000-mapping.dmp

Download
memory/3032-203-0x0000000000000000-mapping.dmp

Download
memory/3132-198-0x0000000000000000-mapping.dmp

Download
memory/3228-212-0x0000000000000000-mapping.dmp

Download
memory/3260-146-0x0000000000000000-mapping.dmp

Download
memory/3332-182-0x0000000000000000-mapping.dmp

Download
memory/3332-184-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/3332-185-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/3616-136-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/3616-132-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/3912-176-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/3912-169-0x0000000000000000-mapping.dmp

Download
memory/3912-175-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4020-147-0x0000000000000000-mapping.dmp

Download
memory/4020-154-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4020-151-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4020-160-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4044-145-0x0000000000000000-mapping.dmp

Download
memory/4092-134-0x0000000000000000-mapping.dmp

Download
memory/4252-150-0x0000000000000000-mapping.dmp

Download
memory/4268-208-0x0000000000000000-mapping.dmp

Download
memory/4268-210-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4268-211-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4804-159-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4804-156-0x0000000000000000-mapping.dmp

Download
memory/4804-161-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download