bitrat | caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f

max time kernel
596s
max time network
603s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-04-2024 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub_tor.exe
Size

7.8MB
MD5

c76390d9e1052d9e708940d67b5c135d
SHA1

a370a73a9dd746584428e8a939288ecffd3c80f7
SHA256

caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f
SHA512

4d2d38d8719cdac8a406cfa96944ee99d2d926511e64d6b6aa964d40d0d9ddb1dc6e4e6253bcb1e77b32613c0b4409ab32ea54c476018fee963574edb043dd3b
SSDEEP

196608:oIRcbH4jSteTGvExwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfuExwZ6v1CPwDv3uFteg2EeJUO9E

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

7sbl4dpbubwjjghdquwg47fyq7rookd4bgm2ypm2kjzkivd7tomvczqd.onion:440

Attributes

communication_password
4124bc0a9335c27f086f24ba207a4912
install_dir
Minecraft
install_file
Runtime_Broker
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\a5b260eb\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\zlib1.dll	acprotect

Executes dropped EXE 14 IoCs

Processes:

tor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exe

pid	process
1388	tor.exe
2152	tor.exe
2788	tor.exe
2480	tor.exe
2324	tor.exe
1672	tor.exe
1980	tor.exe
3064	tor.exe
1332	tor.exe
1312	tor.exe
1932	tor.exe
944	tor.exe
2748	tor.exe
2400	tor.exe

Loads dropped DLL 64 IoCs

Processes:

stub_tor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exe

pid	process
1612	stub_tor.exe
1612	stub_tor.exe
1388	tor.exe
1388	tor.exe
1388	tor.exe
1388	tor.exe
1388	tor.exe
1388	tor.exe
1388	tor.exe
1612	stub_tor.exe
2152	tor.exe
2152	tor.exe
2152	tor.exe
2152	tor.exe
2152	tor.exe
2152	tor.exe
2152	tor.exe
1612	stub_tor.exe
2788	tor.exe
2788	tor.exe
2788	tor.exe
2788	tor.exe
2788	tor.exe
2788	tor.exe
2788	tor.exe
1612	stub_tor.exe
2480	tor.exe
2480	tor.exe
2480	tor.exe
2480	tor.exe
2480	tor.exe
2480	tor.exe
2480	tor.exe
1612	stub_tor.exe
2324	tor.exe
2324	tor.exe
2324	tor.exe
2324	tor.exe
2324	tor.exe
2324	tor.exe
2324	tor.exe
1612	stub_tor.exe
1672	tor.exe
1672	tor.exe
1672	tor.exe
1672	tor.exe
1672	tor.exe
1672	tor.exe
1672	tor.exe
1612	stub_tor.exe
1980	tor.exe
1980	tor.exe
1980	tor.exe
1980	tor.exe
1980	tor.exe
1980	tor.exe
1980	tor.exe
1612	stub_tor.exe
3064	tor.exe
3064	tor.exe
3064	tor.exe
3064	tor.exe
3064	tor.exe
3064	tor.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe	upx
behavioral1/memory/1388-20-0x0000000000140000-0x0000000000544000-memory.dmp	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libevent-2-1-6.dll	upx
behavioral1/memory/1388-28-0x0000000073DF0000-0x00000000740BF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libgcc_s_sjlj-1.dll	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\zlib1.dll	upx
behavioral1/memory/1388-37-0x0000000073BC0000-0x0000000073CCA000-memory.dmp	upx
behavioral1/memory/1388-38-0x0000000073B30000-0x0000000073BB8000-memory.dmp	upx
behavioral1/memory/1388-40-0x00000000740E0000-0x0000000074104000-memory.dmp	upx
behavioral1/memory/1388-41-0x0000000073DA0000-0x0000000073DE9000-memory.dmp	upx
behavioral1/memory/1388-39-0x0000000073A60000-0x0000000073B2E000-memory.dmp	upx
behavioral1/memory/1388-36-0x0000000073CD0000-0x0000000073D98000-memory.dmp	upx
behavioral1/memory/1388-45-0x0000000000140000-0x0000000000544000-memory.dmp	upx
behavioral1/memory/1388-46-0x0000000073DF0000-0x00000000740BF000-memory.dmp	upx
behavioral1/memory/1388-48-0x0000000073CD0000-0x0000000073D98000-memory.dmp	upx
behavioral1/memory/1388-49-0x0000000073BC0000-0x0000000073CCA000-memory.dmp	upx
behavioral1/memory/1388-51-0x0000000073A60000-0x0000000073B2E000-memory.dmp	upx
behavioral1/memory/1388-65-0x0000000000140000-0x0000000000544000-memory.dmp	upx
behavioral1/memory/1388-66-0x0000000000140000-0x0000000000544000-memory.dmp	upx
behavioral1/memory/1388-75-0x0000000000140000-0x0000000000544000-memory.dmp	upx
behavioral1/memory/1388-83-0x0000000000140000-0x0000000000544000-memory.dmp	upx
behavioral1/memory/1388-102-0x0000000000140000-0x0000000000544000-memory.dmp	upx
behavioral1/memory/2152-125-0x0000000000140000-0x0000000000544000-memory.dmp	upx
behavioral1/memory/2152-133-0x00000000740E0000-0x0000000074104000-memory.dmp	upx
behavioral1/memory/2152-132-0x0000000073A60000-0x0000000073B2E000-memory.dmp	upx
behavioral1/memory/2152-131-0x0000000073B30000-0x0000000073BB8000-memory.dmp	upx
behavioral1/memory/2152-130-0x0000000073BC0000-0x0000000073CCA000-memory.dmp	upx
behavioral1/memory/2152-129-0x0000000073CD0000-0x0000000073D98000-memory.dmp	upx
behavioral1/memory/2152-128-0x0000000073DA0000-0x0000000073DE9000-memory.dmp	upx
behavioral1/memory/2152-127-0x0000000073DF0000-0x00000000740BF000-memory.dmp	upx
behavioral1/memory/2152-126-0x0000000000140000-0x0000000000544000-memory.dmp	upx
behavioral1/memory/2788-149-0x0000000000F20000-0x0000000001324000-memory.dmp	upx
behavioral1/memory/2788-152-0x0000000074070000-0x00000000740B9000-memory.dmp	upx
behavioral1/memory/2788-153-0x0000000073FA0000-0x0000000074068000-memory.dmp	upx
behavioral1/memory/2788-154-0x0000000073E90000-0x0000000073F9A000-memory.dmp	upx
behavioral1/memory/2788-155-0x0000000073E00000-0x0000000073E88000-memory.dmp	upx
behavioral1/memory/2788-156-0x0000000073A20000-0x0000000073A44000-memory.dmp	upx
behavioral1/memory/2788-157-0x0000000073B20000-0x0000000073DEF000-memory.dmp	upx
behavioral1/memory/2788-158-0x0000000073A50000-0x0000000073B1E000-memory.dmp	upx
behavioral1/memory/2788-176-0x0000000000F20000-0x0000000001324000-memory.dmp	upx
behavioral1/memory/2788-177-0x0000000073B20000-0x0000000073DEF000-memory.dmp	upx
behavioral1/memory/2788-178-0x0000000074070000-0x00000000740B9000-memory.dmp	upx
behavioral1/memory/2788-179-0x0000000073FA0000-0x0000000074068000-memory.dmp	upx
behavioral1/memory/2788-180-0x0000000073E90000-0x0000000073F9A000-memory.dmp	upx
behavioral1/memory/2788-182-0x0000000073A50000-0x0000000073B1E000-memory.dmp	upx
behavioral1/memory/2788-184-0x0000000000F20000-0x0000000001324000-memory.dmp	upx
behavioral1/memory/1612-192-0x0000000004720000-0x0000000004B24000-memory.dmp	upx
behavioral1/memory/2788-194-0x0000000000F20000-0x0000000001324000-memory.dmp	upx
behavioral1/memory/2788-230-0x0000000000F20000-0x0000000001324000-memory.dmp	upx
behavioral1/memory/2480-246-0x0000000074070000-0x00000000740B9000-memory.dmp	upx
behavioral1/memory/2480-243-0x0000000000F20000-0x0000000001324000-memory.dmp	upx
behavioral1/memory/2480-247-0x0000000073FA0000-0x0000000074068000-memory.dmp	upx
behavioral1/memory/2480-248-0x0000000073E90000-0x0000000073F9A000-memory.dmp	upx
behavioral1/memory/2480-249-0x0000000073E00000-0x0000000073E88000-memory.dmp	upx
behavioral1/memory/2480-250-0x0000000073A50000-0x0000000073B1E000-memory.dmp	upx
behavioral1/memory/2480-251-0x0000000073A20000-0x0000000073A44000-memory.dmp	upx
behavioral1/memory/2480-252-0x0000000073B20000-0x0000000073DEF000-memory.dmp	upx
behavioral1/memory/2480-280-0x0000000000F20000-0x0000000001324000-memory.dmp	upx
behavioral1/memory/1612-299-0x0000000005760000-0x0000000005B64000-memory.dmp	upx
behavioral1/memory/2324-307-0x0000000073B20000-0x0000000073DEF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

stub_tor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker"	stub_tor.exe

Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

63 myexternalip.com
71 myexternalip.com
17 myexternalip.com
18 myexternalip.com
31 myexternalip.com
46 myexternalip.com
54 myexternalip.com

flow	ioc
63	myexternalip.com
71	myexternalip.com
17	myexternalip.com
18	myexternalip.com
31	myexternalip.com
46	myexternalip.com
54	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

stub_tor.exe

pid	process
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

stub_tor.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	stub_tor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	stub_tor.exe

Suspicious behavior: RenamesItself 64 IoCs

Processes:

stub_tor.exe

pid	process
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe
1612	stub_tor.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

stub_tor.exe

description pid process

Token: SeDebugPrivilege 1612 stub_tor.exe
Token: SeShutdownPrivilege 1612 stub_tor.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

stub_tor.exe

pid process

1612 stub_tor.exe
1612 stub_tor.exe

description	pid	process
Token: SeDebugPrivilege	1612	stub_tor.exe
Token: SeShutdownPrivilege	1612	stub_tor.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

stub_tor.exe

description	pid	process	target process
PID 1612 wrote to memory of 1388	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1388	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1388	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1388	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2152	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2152	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2152	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2152	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2788	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2788	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2788	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2788	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2480	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2480	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2480	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2480	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2324	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2324	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2324	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2324	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1672	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1672	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1672	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1672	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1980	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1980	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1980	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1980	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 3064	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 3064	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 3064	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 3064	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1332	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1332	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1332	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1332	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1312	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1312	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1312	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1312	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1932	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1932	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1932	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 1932	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 944	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 944	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 944	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 944	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2748	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2748	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2748	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2748	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2400	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2400	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2400	1612	stub_tor.exe	tor.exe
PID 1612 wrote to memory of 2400	1612	stub_tor.exe	tor.exe

C:\Users\Admin\AppData\Local\Temp\stub_tor.exe
"C:\Users\Admin\AppData\Local\Temp\stub_tor.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1332

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1312

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1932

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:944

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2748

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2400

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-certs
Filesize
20KB

MD5
9bbbb73bb815896f891f94261f7a3000

SHA1
0c9630385fba820a32e39c858b141a650ba3f840

SHA256
b456079be0b9d254fd988cdd93dd6a5ca8a928fbb5d72c7c30e2f22a943fed95

SHA512
c1beee43fff137cfd9f43235fcf2c2a19e4d17d8a15666d0a0410eab9183223e1119bdfedbd956975c68a5bca98a2acd1648687a753424795773441882feef1c

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
bd169440e5172999c9752977e42dd84c

SHA1
74e4b0c0a08e16fb76ef1d0d64b0cfdd8d8ce1a4

SHA256
1b9122b9faabbeccac50893248c8bb728ebf224a011a7f4db5d6f06e59e9e995

SHA512
8d72f5a5c0fb829db8a75d003a90f668918cc4bc13f4c086c4dec3efa30af0583ccf82af06d3bfb0f16086dcc702c81947e16ea8cda78753c747cb8dcee0cbfd

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs
Filesize
12.6MB

MD5
f73a278e837b7b4a7ea87062311442ac

SHA1
3ba3c223d1758293d2287d1b2e5f9c988e973718

SHA256
3ce56a4fc190647b0f176cf0e897fc3ff3e9de127d7a7edfef1b0e20cc98e77b

SHA512
437ee286b71e7c5e1e2282bd1ac06d479611cc6894d9b9cf2ff27da44f922e9d1bdd5a8c4feca43b8d824166aa31a15c849ddb147e7a84c044688632c23f0ff5

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs.new
Filesize
12.6MB

MD5
aad4cc4d44975bddad958da9baece063

SHA1
965f4db645ecd93f170cf85f8bf096aefaa195cc

SHA256
9d72895fde1fcc418bed1d6f60036e9492cec0a811b718ee91f6e9ff36432693

SHA512
a47c655e6f8bb5805f88560c8fffeb1a3f7e0886702684b08eb761096ebd55636b4407f6c2a9b84a174d19e4093a9262fea4114cc5d068aca1c04608f88cfd22

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs.new
Filesize
6.4MB

MD5
c4598f92eefff3260972bad28370f820

SHA1
914cad2ac486903fdf38ee19e205a7c513453046

SHA256
1ea714dec89b04043854cf9aa81166a5fc08ffde06fefe91e7e658afa5ea9e09

SHA512
8e829c5326fd14085250c71506338d0aeef9f3c13f5e9fe59c37df1970e21897fe175e23994ad3787ced3a75cfc0305205c699d74f034995bc48008f4920b3e5

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs.new
Filesize
7.7MB

MD5
b2910ab0d89eb49fabd02d702c528f43

SHA1
a5737fe9d49aa20695869b77c6ddb076d336782c

SHA256
af90565aecf2af55ccf6c721d0f714ed0410cf173db520e4566381c13f37843a

SHA512
00debd6c368b23502f87a2a6982fae716eab788561937a79dd47e5ccf12297e2ac87d7791ce5d9ca9907ae24cf235fd57e7c076469a114643e291ae65e4448f7

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs.new
Filesize
9.2MB

MD5
bdece820e3284cbfe7edb6d88c3eeaf7

SHA1
da63ca34f68ce0be586ca036eea0a4dec8c66a77

SHA256
749614ded62165629a5aad2e19338278f35c4945faf11e19441bf77fc8b181e2

SHA512
e0f997eb878a3b4fe4e6ced1d1a78dd6ba1d19e49fb71e08e8f6093996ce8a36bcdde8ba524b033633cfdf8841e5ba3dce3e13bfe9014a53439f85fc4097e14e

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\state
Filesize
232B

MD5
52ba0b6a81cacf214be9a1c7917d4a21

SHA1
a93d61cf2f529a03bba7c384eeaed3e0d7775cf2

SHA256
0a9b8570d41c8f9680e21b37a713c16c39b611d78e4a125cd97a6de83e65ddbe

SHA512
87455749a1d6bf11f6062c88c12b891e5aea82aa73c7f536c46ab032d7119888bd58f5fa87daec05772165d6032ea7f1f0277e6efc5c4ec45feaa92dc59cbee7

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\state
Filesize
3KB

MD5
577824a6c9f7bfec408f5f88d3c1b26e

SHA1
b2a59c3d707afc5f6bf8c654dd2f90d348c45d09

SHA256
aed226ba0aef49fd1a029d95185d03c220958c5dc90e24edd2cf5a1c00d8d941

SHA512
525d5e3f7c91f521abac87a0bce2c80320baad1659f17ab7ff621ce7b436863620a2ef63be9ff6465a50686161f90efc3484fc71f50f9f4baf05702536c5aa04

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\torrc
Filesize
157B

MD5
8ea874223f853aac5ea469ccc164a8f9

SHA1
70d31011547870c9f930496dbf9fb7ec296a8c28

SHA256
95e134044f370b2a96408d581f3c0381fe95388dae27c6d9598f44dc7d72b9ed

SHA512
fd1dc20219fbf4863926d90b5a2127b65e165656eac4493a80288d0c57fc309ed998b5d30fe8ce313987ee367fc4fe9b6026ff32d4391950d7f26ca7b6fdcdf2

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
memory/1388-66-0x0000000000140000-0x0000000000544000-memory.dmp

Filesize
4.0MB

Download
memory/1388-40-0x00000000740E0000-0x0000000074104000-memory.dmp

Filesize
144KB

Download
memory/1388-45-0x0000000000140000-0x0000000000544000-memory.dmp

Filesize
4.0MB

Download
memory/1388-46-0x0000000073DF0000-0x00000000740BF000-memory.dmp

Filesize
2.8MB

Download
memory/1388-48-0x0000000073CD0000-0x0000000073D98000-memory.dmp

Filesize
800KB

Download
memory/1388-49-0x0000000073BC0000-0x0000000073CCA000-memory.dmp

Filesize
1.0MB

Download
memory/1388-51-0x0000000073A60000-0x0000000073B2E000-memory.dmp

Filesize
824KB

Download
memory/1388-39-0x0000000073A60000-0x0000000073B2E000-memory.dmp

Filesize
824KB

Download
memory/1388-20-0x0000000000140000-0x0000000000544000-memory.dmp

Filesize
4.0MB

Download
memory/1388-65-0x0000000000140000-0x0000000000544000-memory.dmp

Filesize
4.0MB

Download
memory/1388-28-0x0000000073DF0000-0x00000000740BF000-memory.dmp

Filesize
2.8MB

Download
memory/1388-37-0x0000000073BC0000-0x0000000073CCA000-memory.dmp

Filesize
1.0MB

Download
memory/1388-75-0x0000000000140000-0x0000000000544000-memory.dmp

Filesize
4.0MB

Download
memory/1388-83-0x0000000000140000-0x0000000000544000-memory.dmp

Filesize
4.0MB

Download
memory/1388-41-0x0000000073DA0000-0x0000000073DE9000-memory.dmp

Filesize
292KB

Download
memory/1388-102-0x0000000000140000-0x0000000000544000-memory.dmp

Filesize
4.0MB

Download
memory/1388-38-0x0000000073B30000-0x0000000073BB8000-memory.dmp

Filesize
544KB

Download
memory/1388-36-0x0000000073CD0000-0x0000000073D98000-memory.dmp

Filesize
800KB

Download
memory/1612-279-0x0000000005560000-0x0000000005964000-memory.dmp

Filesize
4.0MB

Download
memory/1612-193-0x0000000004720000-0x0000000004B24000-memory.dmp

Filesize
4.0MB

Download
memory/1612-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1612-290-0x0000000004760000-0x000000000476A000-memory.dmp

Filesize
40KB

Download
memory/1612-270-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/1612-289-0x0000000004760000-0x000000000476A000-memory.dmp

Filesize
40KB

Download
memory/1612-299-0x0000000005760000-0x0000000005B64000-memory.dmp

Filesize
4.0MB

Download
memory/1612-119-0x0000000004720000-0x0000000004B24000-memory.dmp

Filesize
4.0MB

Download
memory/1612-148-0x0000000004720000-0x0000000004B24000-memory.dmp

Filesize
4.0MB

Download
memory/1612-74-0x0000000003B00000-0x0000000003F04000-memory.dmp

Filesize
4.0MB

Download
memory/1612-17-0x0000000003B00000-0x0000000003F04000-memory.dmp

Filesize
4.0MB

Download
memory/1612-64-0x0000000003B00000-0x0000000003F04000-memory.dmp

Filesize
4.0MB

Download
memory/1612-21-0x0000000003B00000-0x0000000003F04000-memory.dmp

Filesize
4.0MB

Download
memory/1612-192-0x0000000004720000-0x0000000004B24000-memory.dmp

Filesize
4.0MB

Download
memory/1612-204-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/1612-203-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/1612-269-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/1672-341-0x0000000000F20000-0x0000000001324000-memory.dmp

Filesize
4.0MB

Download
memory/1672-342-0x0000000074020000-0x0000000074069000-memory.dmp

Filesize
292KB

Download
memory/1672-343-0x0000000073F50000-0x0000000074018000-memory.dmp

Filesize
800KB

Download
memory/1672-344-0x0000000073E40000-0x0000000073F4A000-memory.dmp

Filesize
1.0MB

Download
memory/2152-129-0x0000000073CD0000-0x0000000073D98000-memory.dmp

Filesize
800KB

Download
memory/2152-126-0x0000000000140000-0x0000000000544000-memory.dmp

Filesize
4.0MB

Download
memory/2152-125-0x0000000000140000-0x0000000000544000-memory.dmp

Filesize
4.0MB

Download
memory/2152-133-0x00000000740E0000-0x0000000074104000-memory.dmp

Filesize
144KB

Download
memory/2152-132-0x0000000073A60000-0x0000000073B2E000-memory.dmp

Filesize
824KB

Download
memory/2152-131-0x0000000073B30000-0x0000000073BB8000-memory.dmp

Filesize
544KB

Download
memory/2152-130-0x0000000073BC0000-0x0000000073CCA000-memory.dmp

Filesize
1.0MB

Download
memory/2152-128-0x0000000073DA0000-0x0000000073DE9000-memory.dmp

Filesize
292KB

Download
memory/2152-127-0x0000000073DF0000-0x00000000740BF000-memory.dmp

Filesize
2.8MB

Download
memory/2324-333-0x0000000074070000-0x00000000740B9000-memory.dmp

Filesize
292KB

Download
memory/2324-307-0x0000000073B20000-0x0000000073DEF000-memory.dmp

Filesize
2.8MB

Download
memory/2324-328-0x0000000073E90000-0x0000000073F9A000-memory.dmp

Filesize
1.0MB

Download
memory/2324-313-0x0000000073E90000-0x0000000073F9A000-memory.dmp

Filesize
1.0MB

Download
memory/2324-309-0x0000000074070000-0x00000000740B9000-memory.dmp

Filesize
292KB

Download
memory/2324-316-0x0000000073E00000-0x0000000073E88000-memory.dmp

Filesize
544KB

Download
memory/2324-311-0x0000000073FA0000-0x0000000074068000-memory.dmp

Filesize
800KB

Download
memory/2324-332-0x0000000073B20000-0x0000000073DEF000-memory.dmp

Filesize
2.8MB

Download
memory/2324-334-0x0000000073FA0000-0x0000000074068000-memory.dmp

Filesize
800KB

Download
memory/2324-331-0x0000000073A20000-0x0000000073A44000-memory.dmp

Filesize
144KB

Download
memory/2324-318-0x0000000073A20000-0x0000000073A44000-memory.dmp

Filesize
144KB

Download
memory/2324-320-0x0000000000F20000-0x0000000001324000-memory.dmp

Filesize
4.0MB

Download
memory/2324-317-0x0000000073A50000-0x0000000073B1E000-memory.dmp

Filesize
824KB

Download
memory/2324-330-0x0000000073A50000-0x0000000073B1E000-memory.dmp

Filesize
824KB

Download
memory/2324-329-0x0000000073E00000-0x0000000073E88000-memory.dmp

Filesize
544KB

Download
memory/2480-251-0x0000000073A20000-0x0000000073A44000-memory.dmp

Filesize
144KB

Download
memory/2480-252-0x0000000073B20000-0x0000000073DEF000-memory.dmp

Filesize
2.8MB

Download
memory/2480-280-0x0000000000F20000-0x0000000001324000-memory.dmp

Filesize
4.0MB

Download
memory/2480-250-0x0000000073A50000-0x0000000073B1E000-memory.dmp

Filesize
824KB

Download
memory/2480-249-0x0000000073E00000-0x0000000073E88000-memory.dmp

Filesize
544KB

Download
memory/2480-248-0x0000000073E90000-0x0000000073F9A000-memory.dmp

Filesize
1.0MB

Download
memory/2480-247-0x0000000073FA0000-0x0000000074068000-memory.dmp

Filesize
800KB

Download
memory/2480-243-0x0000000000F20000-0x0000000001324000-memory.dmp

Filesize
4.0MB

Download
memory/2480-246-0x0000000074070000-0x00000000740B9000-memory.dmp

Filesize
292KB

Download
memory/2788-230-0x0000000000F20000-0x0000000001324000-memory.dmp

Filesize
4.0MB

Download
memory/2788-194-0x0000000000F20000-0x0000000001324000-memory.dmp

Filesize
4.0MB

Download
memory/2788-184-0x0000000000F20000-0x0000000001324000-memory.dmp

Filesize
4.0MB

Download
memory/2788-182-0x0000000073A50000-0x0000000073B1E000-memory.dmp

Filesize
824KB

Download
memory/2788-180-0x0000000073E90000-0x0000000073F9A000-memory.dmp

Filesize
1.0MB

Download
memory/2788-179-0x0000000073FA0000-0x0000000074068000-memory.dmp

Filesize
800KB

Download
memory/2788-178-0x0000000074070000-0x00000000740B9000-memory.dmp

Filesize
292KB

Download
memory/2788-177-0x0000000073B20000-0x0000000073DEF000-memory.dmp

Filesize
2.8MB

Download
memory/2788-176-0x0000000000F20000-0x0000000001324000-memory.dmp

Filesize
4.0MB

Download
memory/2788-158-0x0000000073A50000-0x0000000073B1E000-memory.dmp

Filesize
824KB

Download
memory/2788-157-0x0000000073B20000-0x0000000073DEF000-memory.dmp

Filesize
2.8MB

Download
memory/2788-156-0x0000000073A20000-0x0000000073A44000-memory.dmp

Filesize
144KB

Download
memory/2788-155-0x0000000073E00000-0x0000000073E88000-memory.dmp

Filesize
544KB

Download
memory/2788-154-0x0000000073E90000-0x0000000073F9A000-memory.dmp

Filesize
1.0MB

Download
memory/2788-153-0x0000000073FA0000-0x0000000074068000-memory.dmp

Filesize
800KB

Download
memory/2788-152-0x0000000074070000-0x00000000740B9000-memory.dmp

Filesize
292KB

Download
memory/2788-149-0x0000000000F20000-0x0000000001324000-memory.dmp

Filesize
4.0MB

Download