njrat | b84d06eb8b490a54bdd252a58d25eb54f5580018ecbf3066e0cd5d03ef284c96

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/02/2025, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

officedeploymenttool_18227-20162.exe
Size

37.5MB
MD5

d85711a9d52862c3e538d79217244059
SHA1

3ed74e38b09b34db3add5fb2c1f4debb66651987
SHA256

b84d06eb8b490a54bdd252a58d25eb54f5580018ecbf3066e0cd5d03ef284c96
SHA512

7858369ea6aead310ce6524699301958167914453e7d83849b62088e58c8ef318a75e14da637434340f15e01acbe623337a7d1a06e15ea18c3c32b15d8e843ae
SSDEEP

786432:vhP/Hle221VnfaWCXcbWDMzISiBddts4s0ACgz27e6fg8/KQxg6U5SeE+nz2E:vBlVsCFhDMzwds4s0oZ+g8CQxfYX6

Score

10^/10

njrat xmrig cyka defense_evasion discovery miner persistence privilege_escalation pyinstaller trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Cyka

mj2025.ddns.net:5552

Mutex

c6c0c67fa02a1b5dbba63788457d850d

Attributes

reg_key
c6c0c67fa02a1b5dbba63788457d850d
splitter
|'|'|

Signatures

Njrat family
njrat
Xmrig family
xmrig
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/3020-3175-0x0000000000210000-0x0000000000D21000-memory.dmp	xmrig
behavioral1/memory/3020-3176-0x0000000000210000-0x0000000000D21000-memory.dmp	xmrig

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1836	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6c0c67fa02a1b5dbba63788457d850d.exe	GameSDK.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6c0c67fa02a1b5dbba63788457d850d.exe	GameSDK.exe

Executes dropped EXE 17 IoCs

pid	Process
1864	svchost.exe
2324	svchost.exe
2728	Stable_Network.exe
2860	Runtime Broker.exe
1180	Process not Found
2676	CL_Debug_Log.txt
648	GameSDK.exe
1500	Antimalware Service Executable.exe
2000	Antimalware Service Executable.exe
2344	Antimalware Service Executable.exe
1208	Antimalware Service Executable.exe
1136	tor.exe
2248	Antimalware Service Executable.exe
2616	Antimalware Service Executable.exe
1728	Antimalware Service Executable.exe
2688	Antimalware Service Executable.exe
2804	Antimalware Service Executable.exe

Loads dropped DLL 20 IoCs

pid	Process
2536	officedeploymenttool_18227-20162.exe
2324	svchost.exe
2536	officedeploymenttool_18227-20162.exe
2536	officedeploymenttool_18227-20162.exe
2536	officedeploymenttool_18227-20162.exe
1180	Process not Found
2728	Stable_Network.exe
2860	Runtime Broker.exe
2860	Runtime Broker.exe
1472	taskeng.exe
1088	Process not Found
2344	Antimalware Service Executable.exe
2344	Antimalware Service Executable.exe
1136	tor.exe
1136	tor.exe
1136	tor.exe
1136	tor.exe
1136	tor.exe
1136	tor.exe
2036	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\c6c0c67fa02a1b5dbba63788457d850d = "\"C:\\Users\\Admin\\GameSDK.exe\" .."	GameSDK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c6c0c67fa02a1b5dbba63788457d850d = "\"C:\\Users\\Admin\\GameSDK.exe\" .."	GameSDK.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00060000000171a8-30.dat	autoit_exe
behavioral1/files/0x0005000000018683-78.dat	autoit_exe
behavioral1/files/0x000d000000018676-81.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2344 set thread context of 1208	2344	Antimalware Service Executable.exe	47
PID 2344 set thread context of 2248	2344	Antimalware Service Executable.exe	51
PID 2344 set thread context of 3020	2344	Antimalware Service Executable.exe	53

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016d5e-24.dat	upx
behavioral1/memory/2324-26-0x000007FEF5540000-0x000007FEF59A6000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000012117-5.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stable_Network.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CL_Debug_Log.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GameSDK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	officedeploymenttool_18227-20162.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\CCJBVTGQ\root\CIMV2	Stable_Network.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\CCJBVTGQ\root\CIMV2	Antimalware Service Executable.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeRestorePrivilege	2676	CL_Debug_Log.txt
Token: 35	2676	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2676	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2676	CL_Debug_Log.txt
Token: SeRestorePrivilege	1208	Antimalware Service Executable.exe
Token: 35	1208	Antimalware Service Executable.exe
Token: SeSecurityPrivilege	1208	Antimalware Service Executable.exe
Token: SeSecurityPrivilege	1208	Antimalware Service Executable.exe
Token: SeDebugPrivilege	648	GameSDK.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: SeRestorePrivilege	2248	Antimalware Service Executable.exe
Token: 35	2248	Antimalware Service Executable.exe
Token: SeSecurityPrivilege	2248	Antimalware Service Executable.exe
Token: SeSecurityPrivilege	2248	Antimalware Service Executable.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: SeLockMemoryPrivilege	3020	attrib.exe
Token: SeLockMemoryPrivilege	3020	attrib.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe
Token: 33	648	GameSDK.exe
Token: SeIncBasePriorityPrivilege	648	GameSDK.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2000	Antimalware Service Executable.exe
2000	Antimalware Service Executable.exe
2000	Antimalware Service Executable.exe
1500	Antimalware Service Executable.exe
1500	Antimalware Service Executable.exe
1500	Antimalware Service Executable.exe
2344	Antimalware Service Executable.exe
2344	Antimalware Service Executable.exe
2344	Antimalware Service Executable.exe
3020	attrib.exe
2616	Antimalware Service Executable.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2728	Stable_Network.exe
2728	Stable_Network.exe
2728	Stable_Network.exe
2000	Antimalware Service Executable.exe
2000	Antimalware Service Executable.exe
2000	Antimalware Service Executable.exe
1500	Antimalware Service Executable.exe
1500	Antimalware Service Executable.exe
1500	Antimalware Service Executable.exe
2344	Antimalware Service Executable.exe
2344	Antimalware Service Executable.exe
2344	Antimalware Service Executable.exe
2616	Antimalware Service Executable.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1864	2536	officedeploymenttool_18227-20162.exe	30
PID 2536 wrote to memory of 1864	2536	officedeploymenttool_18227-20162.exe	30
PID 2536 wrote to memory of 1864	2536	officedeploymenttool_18227-20162.exe	30
PID 2536 wrote to memory of 1864	2536	officedeploymenttool_18227-20162.exe	30
PID 1864 wrote to memory of 2324	1864	svchost.exe	31
PID 1864 wrote to memory of 2324	1864	svchost.exe	31
PID 1864 wrote to memory of 2324	1864	svchost.exe	31
PID 2536 wrote to memory of 2728	2536	officedeploymenttool_18227-20162.exe	32
PID 2536 wrote to memory of 2728	2536	officedeploymenttool_18227-20162.exe	32
PID 2536 wrote to memory of 2728	2536	officedeploymenttool_18227-20162.exe	32
PID 2536 wrote to memory of 2728	2536	officedeploymenttool_18227-20162.exe	32
PID 2536 wrote to memory of 2860	2536	officedeploymenttool_18227-20162.exe	33
PID 2536 wrote to memory of 2860	2536	officedeploymenttool_18227-20162.exe	33
PID 2536 wrote to memory of 2860	2536	officedeploymenttool_18227-20162.exe	33
PID 2536 wrote to memory of 2860	2536	officedeploymenttool_18227-20162.exe	33
PID 2728 wrote to memory of 2676	2728	Stable_Network.exe	35
PID 2728 wrote to memory of 2676	2728	Stable_Network.exe	35
PID 2728 wrote to memory of 2676	2728	Stable_Network.exe	35
PID 2728 wrote to memory of 2676	2728	Stable_Network.exe	35
PID 2860 wrote to memory of 648	2860	Runtime Broker.exe	37
PID 2860 wrote to memory of 648	2860	Runtime Broker.exe	37
PID 2860 wrote to memory of 648	2860	Runtime Broker.exe	37
PID 2860 wrote to memory of 648	2860	Runtime Broker.exe	37
PID 2728 wrote to memory of 2824	2728	Stable_Network.exe	38
PID 2728 wrote to memory of 2824	2728	Stable_Network.exe	38
PID 2728 wrote to memory of 2824	2728	Stable_Network.exe	38
PID 2728 wrote to memory of 2824	2728	Stable_Network.exe	38
PID 2824 wrote to memory of 2804	2824	cmd.exe	40
PID 2824 wrote to memory of 2804	2824	cmd.exe	40
PID 2824 wrote to memory of 2804	2824	cmd.exe	40
PID 2824 wrote to memory of 2804	2824	cmd.exe	40
PID 648 wrote to memory of 1836	648	GameSDK.exe	42
PID 648 wrote to memory of 1836	648	GameSDK.exe	42
PID 648 wrote to memory of 1836	648	GameSDK.exe	42
PID 648 wrote to memory of 1836	648	GameSDK.exe	42
PID 1472 wrote to memory of 1500	1472	taskeng.exe	44
PID 1472 wrote to memory of 1500	1472	taskeng.exe	44
PID 1472 wrote to memory of 1500	1472	taskeng.exe	44
PID 1472 wrote to memory of 2000	1472	taskeng.exe	45
PID 1472 wrote to memory of 2000	1472	taskeng.exe	45
PID 1472 wrote to memory of 2000	1472	taskeng.exe	45
PID 2000 wrote to memory of 2344	2000	Antimalware Service Executable.exe	46
PID 2000 wrote to memory of 2344	2000	Antimalware Service Executable.exe	46
PID 2000 wrote to memory of 2344	2000	Antimalware Service Executable.exe	46
PID 2344 wrote to memory of 1208	2344	Antimalware Service Executable.exe	47
PID 2344 wrote to memory of 1208	2344	Antimalware Service Executable.exe	47
PID 2344 wrote to memory of 1208	2344	Antimalware Service Executable.exe	47
PID 2344 wrote to memory of 1208	2344	Antimalware Service Executable.exe	47
PID 2344 wrote to memory of 1208	2344	Antimalware Service Executable.exe	47
PID 2344 wrote to memory of 1136	2344	Antimalware Service Executable.exe	50
PID 2344 wrote to memory of 1136	2344	Antimalware Service Executable.exe	50
PID 2344 wrote to memory of 1136	2344	Antimalware Service Executable.exe	50
PID 2344 wrote to memory of 2248	2344	Antimalware Service Executable.exe	51
PID 2344 wrote to memory of 2248	2344	Antimalware Service Executable.exe	51
PID 2344 wrote to memory of 2248	2344	Antimalware Service Executable.exe	51
PID 2344 wrote to memory of 2248	2344	Antimalware Service Executable.exe	51
PID 2344 wrote to memory of 2248	2344	Antimalware Service Executable.exe	51
PID 2344 wrote to memory of 3020	2344	Antimalware Service Executable.exe	53
PID 2344 wrote to memory of 3020	2344	Antimalware Service Executable.exe	53
PID 2344 wrote to memory of 3020	2344	Antimalware Service Executable.exe	53
PID 2344 wrote to memory of 3020	2344	Antimalware Service Executable.exe	53
PID 2344 wrote to memory of 3020	2344	Antimalware Service Executable.exe	53
PID 1472 wrote to memory of 2616	1472	taskeng.exe	56
PID 1472 wrote to memory of 2616	1472	taskeng.exe	56

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3020	attrib.exe

C:\Users\Admin\AppData\Local\Temp\officedeploymenttool_18227-20162.exe
"C:\Users\Admin\AppData\Local\Temp\officedeploymenttool_18227-20162.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2324
- C:\ProgramData\Stable_Network.exe
  "C:\ProgramData\Stable_Network.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
    C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2804
- C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
  "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\GameSDK.exe
    "C:\Users\Admin\GameSDK.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\GameSDK.exe" "GameSDK.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1836

C:\Windows\system32\taskeng.exe
taskeng.exe {37ABD51F-7509-46CD-8CD4-DB3EC1CD530F} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1500
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck38142
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - NTFS ADS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1208
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1136
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2248
  - - C:\Windows\System32\attrib.exe
      -o stratum+tcp://pool.supportxmr.com:3333 -u 428jMEBAdSKHQGHrnDMJzK16oJ1irAGkEgLZrhkJjNSxfsHQ8cpLn8QBAQWcpodf7bjFLt1wQHbJ8JNg3Em5EspB1MsE9zY -p x -t 4
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Views/modifies file attributes
      PID:3020
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2616
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Stable_Network.exe

Filesize
15.9MB

MD5
a1a51313f8d07d2eb4ca0123108094e1

SHA1
4024e60d52e4c992596b73cb205ea7b4a1a91ae0

SHA256
8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63

SHA512
3a43cdaae6d988f935f4092d5a9a4eb3cf2f2230d438858a3dc24eec6b050c21c1844f899b60fc69ed3d34b76f2f4057b82e8730f149b0103628af7219392e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
7.4MB

MD5
f71859e5750415fb32eb045e58635cae

SHA1
fa70d2a35caeb0c12214775cad8cdd8ff0583b59

SHA256
8d668f74825fd8cf5809d9c63e36084bd04d672585fb1f5cdda429e052b8488e

SHA512
423bc36ec4d2b811aa54685a70d5b9daad21d31e95759b1437b7b1966bcdd05d322a76c4288dc647b35bd4b1f6acc0c692fa4ba365715e55671da4edef65df1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
8.4MB

MD5
4f19535079b64da77ce91d429cfbcfdc

SHA1
68b4d4679024111b246c45328db9478f3a67a709

SHA256
fc02c6319cc5b32536a4b1773a5aba82c213fed6de3249d117b2c8ffe5c82b58

SHA512
fcea894e6a00384c4af0d5abd8143a72b122c6e3052b602ee4a150c89b538e4ac5f76dcbc01770548dba6ef67dd13420450d368bfb42ddcf4fd11995181382dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
14.6MB

MD5
053bd8fa3b586bd5b8ee60970c6cae44

SHA1
ada9b5270e7025a5438bc0066f68286243db15c7

SHA256
e0e342cd6302970770d542d516a02a445c13f1f6a77799342ced658ca4e3f8ad

SHA512
0bc717c9bc09ee019662ee3cee795ad5510981d36ca706872f776385b4b98826768c5a5136e592e997383690a0d1634d72d4462a05120550a6e5a3295e5a587c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
46f2f154060d639b1f5f1ceb47ba9574

SHA1
6bdee2c266f48415b9d580801fea16a9d43faa25

SHA256
a08b36bde4948ac2878d5aaaad2e2cacf0ed2b1fde097b9c6ae2d777843b1d4f

SHA512
752e3042d9e3b50748d4075aca84ab61a975dad6be1d5c1ef6d807e8933048e75221ea0babf935b1aee778bad3f51374ca3984418cb4587d5f2e1de45b07f7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18642\python310.dll

Filesize
1.4MB

MD5
72c65de0cc88d6a26d5a7040aaf1fb60

SHA1
68dae332ade43106c72e68a497b6b7df6b314425

SHA256
769f20bcec63eb6567cca095ea59ffcda2c87e2b8600503f0e4f976dfb8da2bb

SHA512
5f658e0bee185613a37f946069ac6723fff93e542a4eb6e3435766c58d09d82894b85502f1686ffc9318bdf4b3a858490866ca56b90238c8c903e794c3a4e3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll

Filesize
14.6MB

MD5
5aa219d1ea73f71f39e2b4cf09f84787

SHA1
66c996348e41aa32686d5eb9389dfc4dcbdf6acb

SHA256
48e152a15e74d7d397fe6f51a9b183091352930e695b56d3a0d3ee80197664b0

SHA512
77426e81f92479c930d221c4e6c5397027b2f1036895eb42a374674cd73d7ed8c1df59ec7adbdbff2ce67c15a8ded2f59db9349804df59921daab15cd1bbbe72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
11KB

MD5
fd7347ad0c32a9a3ead2cd93a4f19b5a

SHA1
b467f72895fc5050824be544f5392635a90f92e7

SHA256
bc20bfedf9ce9e927cebae94b9512814fba026f341bcdaf0db28f640064eb472

SHA512
3ae0836fc45484b43c52183023c7bc992421e2edac5613cfb3b4d7f78fc2870c699681f04700f42b9a92ad19db8bcd67c62d0de79b6055c1a5a3d4d482532e2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
2.6MB

MD5
21e3778b11e03ced442a1ac73d8949ee

SHA1
9e416a029a3c6e6738cba0d1f69253ca283b73ea

SHA256
03b7f47481eaf1f2c942f4a41a3a6411e22493c2d5b25ab1cab38ffe11cccb76

SHA512
20b91dea4e9f8f9dc8b672be51fb161f1b7a60fac9523921bc084f64c684f688070ec0e01c93f57294a7b13f5ecd33f9eac0eb22acd65b528162bfb08d0bd1a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.txt

Filesize
15.8MB

MD5
7268eb05d51294219569569ea006da2a

SHA1
ade2c0a248f6aae9ff00f42e04dd3d1de242b289

SHA256
188b7e3f0135cf683c393ab88930e93f29d4a0c31c08841237afaf543ecb2e12

SHA512
0056df445e950fc3a76dcb64c4ab8c8b187436d18e95b916b7e83e7e215fa8371bae91501252b1a6e15dbc5414ae674381b758c84a2814d4c88bd856e3deef46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Filesize
2.5MB

MD5
54183220aa6c777f8228474ff5b5df01

SHA1
ed438f17bffb37d42afd61d8dcef0c50d554c65c

SHA256
9a78c80e93bd1ed3d71eb090465e39a69470cd1812fc5e169d8b412e8c665963

SHA512
70b1e22449c5264bed46b62595206e3ad36e2a9c33fa9589acb792d499dcbbae5ebdbf3b35c140e72a7d594f807a6ce1ab925736b5e1a07c17a26445a2591987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-certs

Filesize
15KB

MD5
eeeec99015522fca6424ca5390c2495f

SHA1
1cd30aa901a7b600b1681751231d4afdec70adf1

SHA256
c2122a3c51d15aedc5d791f549b22bc17f8d292e835367f6cf4f637cb5dea45a

SHA512
afe372db05d85d22372514a1bb55bad19f2cbd02bc29ec81c019e79367f07de702b5645cc2d916605c5b2bc76cd1032aed047a02f3840f5c570974d29df25e42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp

Filesize
2.8MB

MD5
f86384a91741548d0fe0ba7a7435c977

SHA1
64e553ab8be1952445522a2ab50985d0c28ccdbc

SHA256
a159efad2d96e0b5e263af15926881cbe94a3c9049ee13ab2eab2eff878948e1

SHA512
6034604ad0e53e0cec0b58be8b7578c32af882b51871e9e80597c3fd4cc32faec29d1890412f502976da6bd8cea650476abe305ecc4e83d62ee1ceb32f7687d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
10.8MB

MD5
b0447744e17ca5f7ab780b88f357595a

SHA1
881066602f4f906da22f2110ee9b51549b40a652

SHA256
2c57727525f74ab26c517bd5454cff156c9ca0b6f041b5faec2c94f904e1df90

SHA512
ea3b86a33b40879dfea96d3dd274a6bd41042eded8c0a85502b24beb308696306cdf9d76dd142c90155bc3b620550c0d30d5f84dc1a18ee4b11b53303bd325ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
21.4MB

MD5
aacf9cd6b9e25d4ab3c6a131bc8ba7c8

SHA1
0925139ce6bcd39834d047091425f2783b920e72

SHA256
d3a4aa0e2883f36a9756a1d89e91c793709efa18d1d0228de1f5e69dc75794f4

SHA512
06a259866bf53499face69a7fd24799b9de166ee72b81b5e6202d3b143faeae3008af56f21aa9dc38742c3f2c339873156dbcb0cecc35143ea9d661980acd6bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\state

Filesize
3KB

MD5
1fedbf67648fc6d5813585159e590d48

SHA1
59fec7d9df80b32f12742395314a9b948d640a9d

SHA256
7ba9749a131e0a55ec2b368b4673f1535597add17dde357af08423db1aa8bdfc

SHA512
2e78e515e4ed80d91d5fbdede7483350a3808f1bb766a681bf2ed5308d8c869b85a454f084d550cb3e953e617c53ff4c89a634a1750b13a85b59b2c8182a0295

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\Tor.pid

Filesize
6B

MD5
27d498910a897ef2d2be866a94f9cdd8

SHA1
f2671e56060665cf57be56622d0942153e28562a

SHA256
3b84c36e5d1e2b0abf0da1f40b20ccaabda27d4f6aa027882a7562b51b44d827

SHA512
c8e6ae18789a53629a17f96627037defe73b24c0c30159fbc4a94602e8cde1eb998aed2fd583d2335938a8c0b8d6c7961d2bf71ed05af0b8711e29237ae9a42d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Filesize
201B

MD5
b9d2fe9cfa840518fa39039c928d4938

SHA1
0561516b7cfa784cf400349983817c8b18817256

SHA256
69d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776

SHA512
894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_core-2-1-7.dll

Filesize
646KB

MD5
c1507e234ff7f11a259d87a57af740be

SHA1
7478ba561c9f478ede650561867ebd2db58da42f

SHA256
d6a7d46f6fc803b50460d03c0bc14f2f128ee2becabcf1713715bcebf13ee75b

SHA512
64d0657050028d846097429ad1268844038059279e1256329716b937338de5fc1b5f50f420b8aa781c5e2a19f15158f564569db639981fef10fa5e57dfd4717b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_extra-2-1-7.dll

Filesize
657KB

MD5
7cb2f0f4bba8d16c3200e9ac2a25b7c0

SHA1
63cf39682bf6876f563e1567df3c55fd5939e6ea

SHA256
ec52e90c68dd0e7603df3f9fe6c909d019a7e94dc3ce0efd8baf67864a43b74b

SHA512
7a660d87739914c68cadb56a4acbf27d68fd145b3bb65b957b4c767dfabe0762c40d58faa3a2df3b3453083ea658411c79d53be5166dda844782a9cd2617a264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
ead6d4a87041e13b9041f78be1cb84d1

SHA1
896a336e08a1904537ee5a4a86eb0e885a18e17a

SHA256
b94b8981f8110944c5b03c9cba4066e9d0daa13687dead387bcbc772132c6d24

SHA512
34054ec79691145a8d511f9425f9ad44e07f8bfb38bd0b3251a5db3358c0055344615990fb770d4bdcbf04c9461847dfd4f6d2bac1e43ec815426a94d065c580

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
965KB

MD5
7847c7b13b3414e8e7652880b4609205

SHA1
930670acc16157f56aaf69423e5d7705441764ba

SHA256
38200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb

SHA512
c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
4.3MB

MD5
9f2d86da7d58a70b0003307d9cfc2438

SHA1
bd69ad6ea837e309232d7c4fd0e87e22c3266ac5

SHA256
7052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65

SHA512
ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
107KB

MD5
d490b6c224e332a706dd3cd210f32aa8

SHA1
1f0769e1fffddac3d14eb79f16508cb6cc272347

SHA256
da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557

SHA512
43ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3

Download Submit
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe

Filesize
22KB

MD5
afb3b01f0bcb1f2ed03d825c3f26d0b9

SHA1
5e4384726bf58ce5ed72dd9830868a83b96bf0e3

SHA256
d08ebadb2737f9b650162738c4cd15178ff9577d0583f064db7b2e0704d4622c

SHA512
4d53cf13518bef173cfa10594123416bbe1af0a6eda475323c400a8502b1c236dedb8d0f2e50fcd63176c9c52a1a7170c9159b8430265dabb0031045d97c9a35

Download Submit
\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
3.4MB

MD5
791a48e7cf84ec1532d20127556f6300

SHA1
774f71e595cfc7e24dc941839566bc9edd9156c5

SHA256
af682ad107cf0e9d9f11adeaf88f817610988b56577c4020897debc0f98e26ff

SHA512
ecbb4a07bb68fec5258be0adc91b89d179b5668bbab3be3bd72d5339f8bf3b32a1860b38693a304029fe989bd92adb020cf755f673b1e59966dfc75e4f958cfa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
974KB

MD5
be51ba4bea2d731dacf974c43941e457

SHA1
51fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621

SHA256
98d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747

SHA512
6184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
21.5MB

MD5
f73648b12faad92f981744f7ad02c06e

SHA1
8da914dde7483ad54d66dc2a8ec75e28f1437673

SHA256
765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560

SHA512
794ddee24cc1f1c6e4c103b40015490692d51fde34fe2ab924420268ed9af699e50b191ff911fcfb5a5a05eb4dd664057154e0aed73342019feeb0d2003f30be

Download Submit
memory/1136-3140-0x0000000001240000-0x00000000016A1000-memory.dmp

Filesize
4.4MB

Download
memory/1136-154-0x0000000072610000-0x00000000726F3000-memory.dmp

Filesize
908KB

Download
memory/1136-153-0x0000000001240000-0x00000000016A1000-memory.dmp

Filesize
4.4MB

Download
memory/1136-160-0x0000000001240000-0x00000000016A1000-memory.dmp

Filesize
4.4MB

Download
memory/1136-156-0x00000000710B0000-0x0000000071148000-memory.dmp

Filesize
608KB

Download
memory/1136-157-0x0000000070DC0000-0x00000000710AD000-memory.dmp

Filesize
2.9MB

Download
memory/1136-194-0x0000000001240000-0x00000000016A1000-memory.dmp

Filesize
4.4MB

Download
memory/1136-158-0x0000000070CE0000-0x0000000070DB3000-memory.dmp

Filesize
844KB

Download
memory/1136-159-0x0000000073590000-0x00000000735B3000-memory.dmp

Filesize
140KB

Download
memory/1136-3153-0x0000000001240000-0x00000000016A1000-memory.dmp

Filesize
4.4MB

Download
memory/1136-155-0x0000000073350000-0x00000000733A4000-memory.dmp

Filesize
336KB

Download
memory/1208-110-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/1208-106-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

Filesize
4KB

Download
memory/1208-107-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/1208-104-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/2248-3147-0x0000000000460000-0x0000000000583000-memory.dmp

Filesize
1.1MB

Download
memory/2248-3137-0x0000000000460000-0x0000000000583000-memory.dmp

Filesize
1.1MB

Download
memory/2248-3136-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

Filesize
4KB

Download
memory/2324-26-0x000007FEF5540000-0x000007FEF59A6000-memory.dmp

Filesize
4.4MB

Download
memory/2536-42-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2536-0-0x0000000073E41000-0x0000000073E42000-memory.dmp

Filesize
4KB

Download
memory/2536-2-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2536-1-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/3020-3172-0x0000000000210000-0x0000000000D21000-memory.dmp

Filesize
11.1MB

Download
memory/3020-3174-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

Filesize
4KB

Download
memory/3020-3175-0x0000000000210000-0x0000000000D21000-memory.dmp

Filesize
11.1MB

Download
memory/3020-3177-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/3020-3176-0x0000000000210000-0x0000000000D21000-memory.dmp

Filesize
11.1MB

Download