asyncrat | 5b054b368eda8d148383e6a64d890b885d9a0b1898493e1008ffe1a531118b6b

Analysis

max time kernel
440s
max time network
454s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
17-03-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NiptuneRAT-main.zip
Size

29.9MB
MD5

5602885050f75519abfe95d7501fc5b6
SHA1

54214aa8b1a4d5e2692594ba4dea973e740e2c55
SHA256

5b054b368eda8d148383e6a64d890b885d9a0b1898493e1008ffe1a531118b6b
SHA512

7077ede3acc4b774181ff0866eeb5eb2672cdf2409384b2d46b45f8e182f3fc91bb65788c25bacc8af473a3083cc6bbbd73f5d4646b6f0fe2fb3e850c5eab7b2
SSDEEP

786432:IcRNogA1jwkC0OGikNuziqXkY0Ut79NhU8odVsGmtfIC884StIC0Q5k:IcRNojskhms5G0UsVoNIzxC0Qi

Score

10^/10

asyncrat default ransomware rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:1337

Mutex

斯Ff2MيdFP8KiZ吉שtQNMSZ

Attributes

delay
1
install
false
install_file
$77
install_folder
%AppData%

aes.plain

Extracted

Path

C:\Users\Admin\Desktop\pp.anarh.txt

Ransom Note

Windows has encountered a problem communicating with a device connected to your computer. This error can be caused by unplugging a removable storage device such as an external USB drive while the device is in use, or by faulty hardware such as a hard drive or CD-ROM drive that is failing. You may cancel the drive check, but it is strongly recommended that you continue. If you continue to receive this this error message, wait for the hard drive check to finish and contact the hardware manufacturer. Windows will now check the drive... ALL YOUR FILES HAVE BEEN ENCRYPTED Your hard drives have been encrypted with military-grade encryption. The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To get a unique key, write to us: Email: [email protected] If you already purchased your key, please enter it below!

Emails

[email protected]

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral4/files/0x000200000002a7e6-160.dat	disable_win_def
behavioral4/files/0x000200000002a7e6-161.dat	disable_win_def
behavioral4/memory/3012-164-0x0000022223CD0000-0x00000222255FA000-memory.dmp	disable_win_def

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral4/files/0x000100000002a83b-192.dat	family_asyncrat
behavioral4/files/0x000100000002a844-224.dat	family_asyncrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 2 IoCs

pid	Process
3012	NiptuneRAT.exe
3356	$77NiptuneClient.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1624	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1448	tasklist.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
944	ipconfig.exe
1804	NETSTAT.EXE
4504	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5060	systeminfo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NiptuneRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NiptuneRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\NodeSlot = "9"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NiptuneRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "8"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = ffffffff	NiptuneRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	NiptuneRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NiptuneRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NiptuneRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NiptuneRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	NiptuneRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NiptuneRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0	NiptuneRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1	NiptuneRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	NiptuneRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 6800310000000000715814ae10004e495054554e7e310000500009000400efbe715801ae715814ae2e000000dca70200000006000000000000000000000000000000796af6004e0069007000740075006e0065005200410054002d006d00610069006e00000018000000	NiptuneRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NiptuneRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NiptuneRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	NiptuneRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 020000000100000000000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	NiptuneRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	NiptuneRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	NiptuneRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	NiptuneRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\NodeSlot = "4"	NiptuneRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NiptuneRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	NiptuneRAT.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2980	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3012	NiptuneRAT.exe
2156	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	4636	7zFM.exe
Token: 35	4636	7zFM.exe
Token: SeSecurityPrivilege	4636	7zFM.exe
Token: SeDebugPrivilege	3012	NiptuneRAT.exe
Token: SeDebugPrivilege	3356	$77NiptuneClient.exe
Token: SeDebugPrivilege	1448	tasklist.exe
Token: SeDebugPrivilege	1804	NETSTAT.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4636	7zFM.exe
4636	7zFM.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
3012	NiptuneRAT.exe
2156	OpenWith.exe
2156	OpenWith.exe
2156	OpenWith.exe
2156	OpenWith.exe
2156	OpenWith.exe
2156	OpenWith.exe
2156	OpenWith.exe
2156	OpenWith.exe
2156	OpenWith.exe
2156	OpenWith.exe
2156	OpenWith.exe
2156	OpenWith.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 2976	3356	$77NiptuneClient.exe	104
PID 3356 wrote to memory of 2976	3356	$77NiptuneClient.exe	104
PID 2976 wrote to memory of 5060	2976	cmd.exe	106
PID 2976 wrote to memory of 5060	2976	cmd.exe	106
PID 2976 wrote to memory of 3936	2976	cmd.exe	108
PID 2976 wrote to memory of 3936	2976	cmd.exe	108
PID 2976 wrote to memory of 4984	2976	cmd.exe	109
PID 2976 wrote to memory of 4984	2976	cmd.exe	109
PID 4984 wrote to memory of 4340	4984	net.exe	110
PID 4984 wrote to memory of 4340	4984	net.exe	110
PID 2976 wrote to memory of 2396	2976	cmd.exe	111
PID 2976 wrote to memory of 2396	2976	cmd.exe	111
PID 2396 wrote to memory of 5068	2396	net.exe	112
PID 2396 wrote to memory of 5068	2396	net.exe	112
PID 2976 wrote to memory of 3036	2976	cmd.exe	113
PID 2976 wrote to memory of 3036	2976	cmd.exe	113
PID 3036 wrote to memory of 1068	3036	net.exe	114
PID 3036 wrote to memory of 1068	3036	net.exe	114
PID 2976 wrote to memory of 4820	2976	cmd.exe	115
PID 2976 wrote to memory of 4820	2976	cmd.exe	115
PID 4820 wrote to memory of 756	4820	net.exe	116
PID 4820 wrote to memory of 756	4820	net.exe	116
PID 2976 wrote to memory of 2948	2976	cmd.exe	117
PID 2976 wrote to memory of 2948	2976	cmd.exe	117
PID 2948 wrote to memory of 112	2948	net.exe	118
PID 2948 wrote to memory of 112	2948	net.exe	118
PID 2976 wrote to memory of 1448	2976	cmd.exe	119
PID 2976 wrote to memory of 1448	2976	cmd.exe	119
PID 2976 wrote to memory of 944	2976	cmd.exe	120
PID 2976 wrote to memory of 944	2976	cmd.exe	120
PID 2976 wrote to memory of 696	2976	cmd.exe	121
PID 2976 wrote to memory of 696	2976	cmd.exe	121
PID 2976 wrote to memory of 3008	2976	cmd.exe	122
PID 2976 wrote to memory of 3008	2976	cmd.exe	122
PID 2976 wrote to memory of 1804	2976	cmd.exe	123
PID 2976 wrote to memory of 1804	2976	cmd.exe	123
PID 2976 wrote to memory of 4504	2976	cmd.exe	124
PID 2976 wrote to memory of 4504	2976	cmd.exe	124
PID 2976 wrote to memory of 1624	2976	cmd.exe	125
PID 2976 wrote to memory of 1624	2976	cmd.exe	125

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip
1⤵
PID:1068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1352

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4636

C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe
"C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1064

C:\Users\Admin\Desktop\$77NiptuneClient.exe
"C:\Users\Admin\Desktop\$77NiptuneClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:5060
- - C:\Windows\system32\HOSTNAME.EXE
    hostname
    3⤵
    PID:3936
- - C:\Windows\system32\net.exe
    net user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:4340
- - C:\Windows\system32\net.exe
    net localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:5068
- - C:\Windows\system32\net.exe
    net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:1068
- - C:\Windows\system32\net.exe
    net user guest
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user guest
      4⤵
      PID:756
- - C:\Windows\system32\net.exe
    net user administrator
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user administrator
      4⤵
      PID:112
- - C:\Windows\system32\tasklist.exe
    tasklist /svc
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:944
- - C:\Windows\system32\ROUTE.EXE
    route print
    3⤵
    PID:696
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:3008
- - C:\Windows\system32\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\system32\ipconfig.exe
    ipconfig /displaydns
    3⤵
    - Gathers network information
    PID:4504
- - C:\Windows\system32\sc.exe
    sc query type= service state= all
    3⤵
    - Launches sc.exe
    PID:1624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\pp.anarh.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NiptuneRAT\NiptuneRAT.exe_Url_2virb1mjsp4und03eye3evhna3xsy40a\4.1.0.0\u04otmyy.newcfg

Filesize
927B

MD5
67ae3b067855a1e16f01e16ee389c8f0

SHA1
3bef83c7922cda26497a45bbfe209e65b14234a0

SHA256
07e9e4841eeace951264cf7b4cf5e8c6993fc923b851cb2360122fe7fec2ef0a

SHA512
db73d3a4a9523db12264d1cf53e50d44589af8dc83bdbb041eff8977f6134666d1836014ebde472039036a13beabe6adee026712f385453ed654ae5ac504e699

Download Submit
C:\Users\Admin\AppData\Local\NiptuneRAT\NiptuneRAT.exe_Url_2virb1mjsp4und03eye3evhna3xsy40a\4.1.0.0\user.config

Filesize
807B

MD5
77d636e08fe9de62cf19ad656409ccde

SHA1
827de958d0c46346c9c581be646b8c3a61fab648

SHA256
4155b94bb3ef65ff1f15d7f337f2ada62d474ec5ba7557562618e5206e83a558

SHA512
60712d620a884d897457f56d4ecc758c9a753c31f58fcb9d814af58dbc2e105435c9a73f837b4146e2e8edb7834b83f51dcecaaf39cd6f69be59d7bb5c28b839

Download Submit
C:\Users\Admin\Desktop\$77NiptuneClient.exe

Filesize
63KB

MD5
94ac7fdf09c22c9bfd33c451adfc1681

SHA1
7bb6e40d7d2492d09b281fcd64ec94aa47d75e96

SHA256
f7446c1f2f1f0b7882ea06a028c77e17898cdd81b13ad6fd0b92c6d3377bbb9d

SHA512
a532faabbe374c8ceb32d7fd8dc41b853c97e6a5831fbbb0dccfc46dbcc28ed9225959bc4bb2468379d53a0e8548ee592468e1c564f16e1a830205aafe1ca1c2

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe

Filesize
11.0MB

MD5
e05e2846c2c4eb4c218634e28031122a

SHA1
daac3911d4aace4b6fcd5c6d5a2adb9950eacfd4

SHA256
178bda21d7735ee8bc2bfb74bc487055853a451ae741b1486fda96125be8e7c4

SHA512
181df2727abdaafb985a84588adac451b0d0031912a556a29b3e9071368022ff8119197a16171eaf43e5dfd42e9cb45c1801373a39907d8689fce40d1cc7ce39

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe

Filesize
12.8MB

MD5
c9b1ee4563ecf0789bab3fdc31c7c346

SHA1
370173eb922e0d3d2f1d2393ef2dac604a6abcca

SHA256
783ce12d604d80f75e89cb9b8da650fbd65890ba3ed6c4b1dde3045d0b713052

SHA512
aa78e096bfb4a8cc5ce7b30ad7fd639f2f1106b0402da8ea0941f211d909a4a17cd41b272452d602583ba0083216c1e4ac485d869b9facdd71c78153e21dc208

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe.config

Filesize
517B

MD5
465c8716dc52edeaf09f0c61fc988934

SHA1
9cab6cec5f46d7528323fa2ad7aa2fc1a72d689b

SHA256
1c6051caeecdd3eeb78cad1b1efa60e56be4193d76f5718c73b8fdfcd61784c5

SHA512
0b386615940f254d6a7dd5650fc7da6544beab97d821bab8fe915dcc257729919142bbd6680b06a19f57c8c79c2c04368413fc31a7efef8e9248209f81c1cf3c

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\0guo3zbo66fqoG.dll

Filesize
78KB

MD5
e4ebcf76ff80ef398d3ab77d577f4c08

SHA1
cb9e6b30a63d50ae87610f6855b64abfb25691d2

SHA256
9661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5

SHA512
8f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\59Zp7paEHDF7luJ.dll

Filesize
1.5MB

MD5
6b24cb03ca441f81764f14412abe22c4

SHA1
37eefe413b01080c85f437e5845add5f9e3c2c10

SHA256
057313c967420c8a6ef644a78109af3f681fb332f9e8ebb55e4a29efeb093afe

SHA512
9ef792c0b90f6eb1a6ed23402fd19bcf7ddb48ec0b7a18eaf7d708e873a060b4698e3174400162f2436a0180ebac72400883dd5cebe246a8690a053a431877a7

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Audio.dll

Filesize
128KB

MD5
cf863d12b476133d97f3827007f53fa1

SHA1
97478287ae4ad542671fce20b39ccc47c230b5d8

SHA256
9e80ce9cd2c8d4b15a1f7326a0b6674f3da617f4704cf5a49bb99b7dceed1b5e

SHA512
9ebfab2f4af63b69156aacbdd6e9f4ff581bb7c1cbf0d4d1f7faa35c838fcfbc77446ae3c735f8bb927c744ae81d9645b2c11c365ac49bb8732523520712ed5d

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\EVa7gBMKoaHmLC.dll

Filesize
116KB

MD5
ec4f4d4e9f133b53f5cab8a01193bdbc

SHA1
8a9539f232f1ee7437308af216c80efef434b3d7

SHA256
63b132fb283869799d218b453ba8a032b5a2fea372a27871326536776fae9481

SHA512
009967c45320248cbc5dab177f725c8b91e1f540e4651cfc59e25137f8c9933a84580f364057d1f6c11efd783b2bd782ecf7274ef6cf3a45252cf65ae339c6b3

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\FBSyChwp.dll

Filesize
116KB

MD5
841ff739bd70a4c6f61a43793feea007

SHA1
ec73f4b50c2e36568bfb21b3f87cb8ca55ae5722

SHA256
cda6e05e54f1da8511958683aa100eb4bc6bb749ad4699676755dda18c152d84

SHA512
086c1ac156b380ce850dcbbbd3ca59477953f665dc592944d851e89aa17f846c94a1003b57f5c842cf3e5536523828b407ee2a0b170f01605d7d72eb5c7db2f8

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\G3nl0mDcABnDuZ.dll

Filesize
128KB

MD5
7884b35cfe1ba24ad7e4cd78f48a1a09

SHA1
86cf35919ead978c5fe817d6c4f2e18bb32727fb

SHA256
ed4562e5b6527f2ebb2318f83f31a3af4dbe06dbf8e764ebf5706b0790346b88

SHA512
30a57bc171ec76c7295766df01f8970ff98dbb3a13a5c52a1e75329fb45b69b7fa8c199da0cb6648258b90c48c3341c3bde73088e773f5037f3de323192bcf8f

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\K8oCBS3ThnW0WP.dll

Filesize
128KB

MD5
081ea64eb8b4f333014276d59fdec0b4

SHA1
0791627bb38d6818ceb2bf419f19376aef14e494

SHA256
b5022706fec021abf416d4b4f806485a2915f3a47b71e73241ef73e7845b21f9

SHA512
b5b9e2c1927313919de6ddc8cc5ddc3438846be8817e022f964ec52612f6ad5301a83c88888fffa1cdabc9a29f42431a4c84668987edb32b4bd6587d64dedd54

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\KNTmoSnG.AnarHs.dll

Filesize
373KB

MD5
1681e0f3311751361030ff30a957a1ed

SHA1
8f3b55e130af507549817fda37474a1391e6b8f2

SHA256
234724f14dbb999853aeb872d7e6c3ed0b3de5b105009b5c66131a2af8d0dbb4

SHA512
60690b2c1e2816a640f5763f9c20de9a39cb9735ea4a3f0bf4f477d3e184f8791e556313a7523c70ed2fb9182d520842bce70057cedd5cb89b923fd6f9067dd1

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\PK0TcnqTGFagQTS.dll

Filesize
174KB

MD5
fa90a2aee0d172000257c4faca31237c

SHA1
b317281b4acaaf1d7b7255c5e92887322abae892

SHA256
991fc53fa1aa7b5cd0b6e19dab536873d68e4413fd55b533601a3a2582d38a49

SHA512
b05c0b52e011089258ad31dd23a1f8a0cc8145b202e42e2a9d4fdf892c12d4a7b5843cc7721041295ab796e8bc98747b9e321c4e54bfd1a7c9a02dd2796fc405

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Recovery.dll

Filesize
309KB

MD5
08131d6801c109f0764a4fe690aba8ef

SHA1
e732af02326483700eda52ff40dc70cff6b7afcb

SHA256
bc3a9390c043f8002e356ad34b2b11d3486682d0c275ab6729bb4a312e324f51

SHA512
228ab0aa0ddfdb0c099f1db5112304d776cb97ab2dab376d38023e446cb2aec30d9585eba444818f3241ffbc28565a1aef11f97b5b42bf57037de8e4a8536e2a

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\RssCnLKcGRxj.dll

Filesize
181KB

MD5
f6808c4fbbe0275db03b2cc5b4c2bc0d

SHA1
e40b61c64c68f72fc5144f5057d54229babdecf8

SHA256
e204d15f0e7269d364157aaab265a5dfbe7e76c9f6202bf90998f0edd77ca248

SHA512
f077c49f6943d0e40799b3b42d1e11f50dabca48305c36ef2acd3258c990e0e0f982fbb0c27b1243aa15d2ed7b398b70f07dddc9ba76ff032ba74a24c8e08fb4

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\mML6WKMqdxjDGA.dll

Filesize
173KB

MD5
e03b206eec8a7efbd1a47909071226e5

SHA1
21163989ea524920e874bc7932adfcd5e94f854e

SHA256
778877431354a9584325dadb663be077f757227eaae8bcad33e4bf26efd6b965

SHA512
831ed74419f1b4c3250fbff20be16ed7058a851d7168a17e8a4dcf284a19412feee42a8c198af34b37571de33a80c48ac855f5d018ea9e2cfdcd846b832155ff

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\maSN8TBMgUEC.dll

Filesize
570KB

MD5
d5a278acdafa0c8b4380efb7d83e053e

SHA1
376218e3aa607a3b82be55cfa718826991953654

SHA256
d93d72c6e929bd9cea468458e6c0558908a92f0ecd11f4f4db0f49acfe9d4fc5

SHA512
138def485e02fdcf1809f0d8162fdd2a50575f3cab56968fbc6d09d0c1e9fe6803860315e45c1a7e0eff75958988ed6b08735fa680fa66527630c6789a23a00b

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\oYsKwDG.dll

Filesize
4.0MB

MD5
19f8d8099cc9b7b6a68e7efebc44ac18

SHA1
5a5cca2ad1168252d79ef7c0ffda58726de7f79c

SHA256
9157a6021901939611c80c4246dbec6007200b2f2457d348ce8834bef9872535

SHA512
6bb58b3157feb010555382c5b5b5d0ee982af324f1d88512ea5d5b984b949995d7387a9496388cb7b9589007ae9ec651e5f8219085517d82eef093e4ebb7ecbc

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Stub\Stub.exe

Filesize
59KB

MD5
0da861f192f8e722505826c141c05a40

SHA1
4d717f9d2a64caf68374ed1e246cf38dd208227b

SHA256
4c6a73271e3a0794bff16fa39b45771e9e39b873e12fdc7031e03fbda238667b

SHA512
7b61ac15ba95e0b8a9ebac2f33e7137083b18204de503e7a2946af65e9d5b6ad9e826a27770e10862dc825f3e20e8bd72463593528a623c4603f9628f8c27280

Download Submit
C:\Users\Admin\Desktop\NiptuneRAT-main\Usrs.p12

Filesize
1KB

MD5
e22a0515af0220bc5c4497f85e518e24

SHA1
2702b7cf46f8ae5ed920469b169c03b07a5d14e7

SHA256
4512413f9478d03074b4bea5deaff1681ec28c74839c16f3cf7d56b0418a8f92

SHA512
cbee300346822a3cd9da43985143258085513bf4515287974f9def05c047477f313648f4017118167f30f1eb241b5c490a11128f98352f96b24f0d2e62840d92

Download Submit
C:\Users\Admin\Desktop\pp.anarh.txt

Filesize
993B

MD5
9be9355dfef9f635bef4a94e4c040209

SHA1
b69a9fccf3391e898dbf8755ef71f7fc52e15880

SHA256
9017a399259db69ba7e4a84f38843ca91df676a0b44ecec5ef884f83ed5fd44f

SHA512
ad8dd6525d98214eb92c825bff6a197a7fe8bdda37f7b608725b4dc14780570104a0a2726ab971358b9b0ac40b8499b852b96d60a3aded254487d1c3f369b410

Download Submit
memory/3012-175-0x00000222274A0000-0x00000222274B0000-memory.dmp

Filesize
64KB

Download
memory/3012-170-0x00000222274A0000-0x00000222274B0000-memory.dmp

Filesize
64KB

Download
memory/3012-190-0x00000222274A0000-0x00000222274B0000-memory.dmp

Filesize
64KB

Download
memory/3012-189-0x00000222274A0000-0x00000222274B0000-memory.dmp

Filesize
64KB

Download
memory/3012-163-0x00007FFAE7E50000-0x00007FFAE8912000-memory.dmp

Filesize
10.8MB

Download
memory/3012-262-0x000002224C6E0000-0x000002224C7E0000-memory.dmp

Filesize
1024KB

Download
memory/3012-228-0x00000222274A0000-0x00000222274B0000-memory.dmp

Filesize
64KB

Download
memory/3012-164-0x0000022223CD0000-0x00000222255FA000-memory.dmp

Filesize
25.2MB

Download
memory/3012-230-0x00000222274A0000-0x00000222274B0000-memory.dmp

Filesize
64KB

Download
memory/3012-251-0x000002224C6E0000-0x000002224C7E0000-memory.dmp

Filesize
1024KB

Download
memory/3012-233-0x00000222274A0000-0x00000222274B0000-memory.dmp

Filesize
64KB

Download
memory/3012-188-0x00000222274A0000-0x00000222274B0000-memory.dmp

Filesize
64KB

Download
memory/3012-178-0x000002224ABD0000-0x000002224AE50000-memory.dmp

Filesize
2.5MB

Download
memory/3012-177-0x000002224ABB0000-0x000002224ABC2000-memory.dmp

Filesize
72KB

Download
memory/3012-176-0x00000222274A0000-0x00000222274B0000-memory.dmp

Filesize
64KB

Download
memory/3012-174-0x00007FFAE7E50000-0x00007FFAE8912000-memory.dmp

Filesize
10.8MB

Download
memory/3012-173-0x000002224A820000-0x000002224A82A000-memory.dmp

Filesize
40KB

Download
memory/3012-172-0x00000222274A0000-0x00000222274B0000-memory.dmp

Filesize
64KB

Download
memory/3012-171-0x0000022249C10000-0x000002224A1F8000-memory.dmp

Filesize
5.9MB

Download
memory/3012-191-0x000002224D260000-0x000002224D37E000-memory.dmp

Filesize
1.1MB

Download
memory/3012-169-0x0000022240910000-0x0000022240924000-memory.dmp

Filesize
80KB

Download
memory/3012-168-0x0000022240780000-0x00000222408CE000-memory.dmp

Filesize
1.3MB

Download
memory/3012-167-0x0000022240200000-0x00000222403F4000-memory.dmp

Filesize
2.0MB

Download
memory/3012-166-0x000002223FB90000-0x000002223FDE2000-memory.dmp

Filesize
2.3MB

Download
memory/3012-165-0x00000222274A0000-0x00000222274B0000-memory.dmp

Filesize
64KB

Download
memory/3356-254-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

Filesize
64KB

Download
memory/3356-248-0x000000001D0C0000-0x000000001D136000-memory.dmp

Filesize
472KB

Download
memory/3356-250-0x000000001B200000-0x000000001B21E000-memory.dmp

Filesize
120KB

Download
memory/3356-231-0x00007FFB09280000-0x00007FFB09489000-memory.dmp

Filesize
2.0MB

Download
memory/3356-252-0x00007FFAE7E50000-0x00007FFAE8912000-memory.dmp

Filesize
10.8MB

Download
memory/3356-253-0x000000001B240000-0x000000001B272000-memory.dmp

Filesize
200KB

Download
memory/3356-249-0x00000000026C0000-0x00000000026F4000-memory.dmp

Filesize
208KB

Download
memory/3356-255-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

Filesize
64KB

Download
memory/3356-229-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

Filesize
64KB

Download
memory/3356-258-0x000000001D240000-0x000000001D270000-memory.dmp

Filesize
192KB

Download
memory/3356-256-0x00007FFB09280000-0x00007FFB09489000-memory.dmp

Filesize
2.0MB

Download
memory/3356-227-0x00007FFAE7E50000-0x00007FFAE8912000-memory.dmp

Filesize
10.8MB

Download
memory/3356-263-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

Filesize
64KB

Download
memory/3356-226-0x0000000000500000-0x0000000000516000-memory.dmp

Filesize
88KB

Download