phemedrone | hxxps://github[.]com/Supremetrysi/java/raw/main/java[.]rar

Analysis

max time kernel
61s
max time network
60s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
31-01-2025 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Supremetrysi/java/raw/main/java.rar

Score

10^/10

phemedrone xmrig defense_evasion discovery execution miner persistence stealer upx

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7409385165:AAHDnOsiLDMwjv8rdk_VLf2May0J5Oj0YjI/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/804-154-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/804-155-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/804-153-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/804-152-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/804-150-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/804-156-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/804-149-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe
2056	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	zrgqfbcavrkx.exe
File created	C:\Windows\system32\drivers\etc\hosts	java8.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
3212	java8.exe
2920	optionsof.exe
1096	zrgqfbcavrkx.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1352	powercfg.exe
64	powercfg.exe
376	powercfg.exe
4328	powercfg.exe
4764	powercfg.exe
4632	powercfg.exe
1356	powercfg.exe
4528	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	java8.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	zrgqfbcavrkx.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 5064	2920	optionsof.exe	99
PID 1096 set thread context of 2136	1096	zrgqfbcavrkx.exe	155
PID 1096 set thread context of 804	1096	zrgqfbcavrkx.exe	160

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/804-145-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/804-154-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/804-155-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/804-153-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/804-152-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/804-150-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/804-148-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/804-147-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/804-156-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/804-149-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/804-146-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/804-144-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
800	sc.exe
3048	sc.exe
4568	sc.exe
1008	sc.exe
4768	sc.exe
3808	sc.exe
4024	sc.exe
1008	sc.exe
4528	sc.exe
4640	sc.exe
4708	sc.exe
2608	sc.exe
3760	sc.exe
4568	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
984	5064	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	optionsof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133828154825867408"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2568	chrome.exe
2568	chrome.exe
3212	java8.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
3212	java8.exe
3212	java8.exe
3212	java8.exe
3212	java8.exe
3212	java8.exe
3212	java8.exe
3212	java8.exe
3212	java8.exe
3212	java8.exe
3212	java8.exe
3212	java8.exe
3212	java8.exe
3212	java8.exe
3212	java8.exe
1096	zrgqfbcavrkx.exe
2056	powershell.exe
2056	powershell.exe
2056	powershell.exe
1096	zrgqfbcavrkx.exe
1096	zrgqfbcavrkx.exe
1096	zrgqfbcavrkx.exe
1096	zrgqfbcavrkx.exe
1096	zrgqfbcavrkx.exe
1096	zrgqfbcavrkx.exe
1096	zrgqfbcavrkx.exe
1096	zrgqfbcavrkx.exe
1096	zrgqfbcavrkx.exe
1096	zrgqfbcavrkx.exe
1096	zrgqfbcavrkx.exe
1096	zrgqfbcavrkx.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2568	chrome.exe
2568	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeRestorePrivilege	3616	7zFM.exe
Token: 35	3616	7zFM.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeSecurityPrivilege	3616	7zFM.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
3616	7zFM.exe
3616	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 5044	2568	chrome.exe	80
PID 2568 wrote to memory of 5044	2568	chrome.exe	80
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 2804	2568	chrome.exe	81
PID 2568 wrote to memory of 3600	2568	chrome.exe	82
PID 2568 wrote to memory of 3600	2568	chrome.exe	82
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83
PID 2568 wrote to memory of 3512	2568	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Supremetrysi/java/raw/main/java.rar
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff8eb06cc40,0x7ff8eb06cc4c,0x7ff8eb06cc58
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,13559401604818286957,10924361746598997632,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=560,i,13559401604818286957,10924361746598997632,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,13559401604818286957,10924361746598997632,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,13559401604818286957,10924361746598997632,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,13559401604818286957,10924361746598997632,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,13559401604818286957,10924361746598997632,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,13559401604818286957,10924361746598997632,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:3924

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3048

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\java.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3616

C:\Users\Admin\Desktop\java8.exe
"C:\Users\Admin\Desktop\java8.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3212
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2148
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3032
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4568
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1008
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4528
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3760
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:800
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:376
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4632
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4764
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4328
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "RLNALEWN"
  2⤵
  - Launches sc.exe
  PID:4768
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "RLNALEWN" binpath= "C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:3808
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:4024
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "RLNALEWN"
  2⤵
  - Launches sc.exe
  PID:4640

C:\Users\Admin\Desktop\optionsof.exe
"C:\Users\Admin\Desktop\optionsof.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1088
    3⤵
    - Program crash
    PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5064 -ip 5064
1⤵
PID:2056

C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe
C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1096
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4364
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3752
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3048
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4708
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4568
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1008
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2608
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1356
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4528
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1352
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:64
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2136
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
813342c8e2ef53f5d11a52f74e23a622

SHA1
9baf1e8863e95a8fb006999f00a5ac4cd0f540da

SHA256
bea51aee2b1b68670b6c7319dabca6795194c455374abcda3bc6cfe29d61d9dc

SHA512
0795885fc20938214330932ac7a9ef0c5e154ecbbca9ea0c94a475771765dcd6c0e38fafbed863970b03c07176a24120adb8ec5c1f1d954ad7975c49f431a04f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
687B

MD5
382800927d8faeea462798e6df9f51c2

SHA1
7c4dc4d4a01e47e4bce15578f2820e97520d3253

SHA256
a4192f73b9f710724f1b58e20619210402235e75ed8f7a38f77c588736a85718

SHA512
15d20654a4450c220306894e491ff20ab7d9c593e539ef38b2b1d4e53874ea13425fe15ad983e2d649cb83d4272b67d1c16f7624847ebe3c5fcc273b5ad3108d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
886e4a639c862fc4ff2f2e8d232e5ca4

SHA1
b697ac6af4f065e3116111a5caa67e6585051cb2

SHA256
00c090d316c7d4eeb1e4a494a95d3f4bc3c3fbd0d7a8107685f0c2ae1c71201b

SHA512
3f7541e0c69a1d184da8e608bf28be5dd78d9ebbabf95a7e41bb47d7c6ed98992d7b3241d4a3da435c13e5501cb7c972ab7f30f35b4cd77586e44103c6d3d52d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4bcc97d844cdd3cb8420fc09bdf9a4d5

SHA1
e3f00097d5fe398079d9566dcf3fb526eecf689e

SHA256
b5981c7ec4d8bbbc1042af89facd8e96f90aa7dc7e032c57db71fe029d4d4ab6

SHA512
be300be573d7d6d982d1e8c09121759d541f9ddf610be7303d7718187eaa09f0b76bc75f1f83fe5b99e432a059f0b69ff4b86e57e4e2c985dab72b35edf8ea47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f282ed447ec0c104050ca5ade1f89d9d

SHA1
23b7e4f175224257e2392123a1955fc3f0413dd2

SHA256
d79cdba7cee6217fb29e35d9175fb1adbd2ed473ddcce674f8a516e0d62d48f9

SHA512
02d8195d1ef0e13d1ae818b2cdf4bb09e48562a284fae38b020a01688d9f21c77ae66c50030f7418276f07936efbcacc9898c09b13d377c8ca2fa12db55bd43b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
765b74c5fe3a0b6135abdfcbf9871201

SHA1
4ffbc7211f1ab34b47af264a40623af23f60cae7

SHA256
246115e7fd85728d86b59303b5815380f47aa73ab187b5dcec859d25bf7cd7d1

SHA512
7f3523bdf4a7a235eacdbb460870420917e84386556131833bd490a9e75b5ed1c2210823fe8ca49e8a420701f6150c3d5a890c652ccff35f55fc8a4db0532c84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
a1933550318abba2638f1f1ec904631b

SHA1
16a2b70a0c09d2f3449689c60777c24cbcfebc73

SHA256
37fb8eb28f225dd1ce0f387f1b82b4de00079f24ebcab3f804480c50092eae79

SHA512
240a097c773d142d43c83787795efc306123317a1909d34e4b2a42acb0762a4eb41e37f38dd9a42bcd137747625e4d4b672b419294564f077949acd5f08801f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
12235aef10c7ef8d8c0f0014d5e24faa

SHA1
49f1313aad3dde84a4047fb28df73fc7f6ab5191

SHA256
8dc6d693869889b5b2b131999a590cc203879fa46cb7404becfe1a46614745dd

SHA512
0c78d65f410d3e94f8209f58ac08c75b5bcedcba25a02772870ed9b9657f7bc908d519c24dd6c1b57266fbdc3cd1a8adbb76c5723c864451e2797476a2b118bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ticeusky.c13.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\java8.exe

Filesize
2.5MB

MD5
c9a04bf748d1ee29a43ac3f0ddace478

SHA1
891bd4e634a9c5fec1a3de80bff55c665236b58d

SHA256
a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc

SHA512
e17edb74f5cb4d8aabb4c775ec25a271f201da3adcb03541b1919526c0939694a768affc21c3066327e57c13bc9bb481074e51e4e78867df847b26f063b4c115

Download Submit
C:\Users\Admin\Desktop\optionsof.exe

Filesize
140KB

MD5
b85ecda89bf941d2f69926777d82447b

SHA1
f60f393020a85a4dd438097300ea8d46c809d922

SHA256
8d2376a342933095ae5e966596adf56803d1077ae53d2c47e5dd926d658d351b

SHA512
3f2becf602c10e0288dbb8c487c898821cddd786f1ca9a0f5b66cdaad939d8708198232217e119636840614384bfcee1eb4417170e062dd351a65af20be3e583

Download Submit
C:\Users\Admin\Downloads\java.rar.crdownload

Filesize
2.2MB

MD5
444a82830c0b8be71b1f93d9b204d319

SHA1
635264828a72e48c50cfac57fdbce3157346e4ae

SHA256
63f8bfb2406ceff95ad392a35ae0cadf1ef47cdd9db0e3dd64cc593dc1dc519e

SHA512
ca442d255eb0767fbe6f94911c95368867d6171cb744970f7321f918ffb3d75b9bde4fe202c04c03b105ad0d2b7bcdf1f7a58f651b4bbb47ee3ca400ca3e07f6

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
93c488e6aa1f63b97a6f644ae0c6fdc1

SHA1
715b27e9df4130a0a9cbadd8caa02ff6f52beee4

SHA256
675bb3c33bfeb21684bfd7ee9048c7866bc57ffde08b32ff402e22f61c7afd54

SHA512
9c755f97bc7d40bdf7af1712241f94d31b2cdf21f583770c08328b79dee56a6ed86105867b82141ff3a1bbaa59ae82fb30a5d6bd4093c8b564fcafd16f431112

Download Submit
memory/804-149-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/804-152-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/804-146-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/804-156-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/804-147-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/804-144-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/804-148-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/804-150-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/804-145-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/804-151-0x0000027FCAE80000-0x0000027FCAEA0000-memory.dmp

Filesize
128KB

Download
memory/804-154-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/804-155-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/804-153-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2056-131-0x0000023DAA490000-0x0000023DAA49A000-memory.dmp

Filesize
40KB

Download
memory/2056-130-0x0000023DAA3D0000-0x0000023DAA485000-memory.dmp

Filesize
724KB

Download
memory/2056-129-0x0000023DAA3B0000-0x0000023DAA3CC000-memory.dmp

Filesize
112KB

Download
memory/2136-143-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2136-139-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2136-138-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2136-136-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2136-137-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2136-135-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2820-99-0x00000235215D0000-0x00000235215F2000-memory.dmp

Filesize
136KB

Download
memory/2920-71-0x00000000007E0000-0x000000000080A000-memory.dmp

Filesize
168KB

Download
memory/5064-75-0x0000000004E60000-0x0000000004EC6000-memory.dmp

Filesize
408KB

Download
memory/5064-73-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download