bitrat | 426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a

Resubmissions

17-04-2024 11:59

240417-n55assfe71 10

17-04-2024 11:59

17-04-2024 11:59

17-04-2024 11:59

17-04-2024 11:59

17-04-2024 06:14

Analysis

max time kernel
298s
max time network
304s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
17-04-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
Size

7.8MB
MD5

dbcb8a833677953edaf640b4d627895c
SHA1

688d21022848bddd94d1cf45d351cac0214c46be
SHA256

426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a
SHA512

a789c91d86a0d09a62b12e1b11d97ed1410ec91d24f09fcc459d88432fa1a8a6bfccbf8427a68f950f2b3a13142668dfc21414c76867330babc4c13bb3553c15
SSDEEP

196608:OIRcbH4jSteTGvaxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOfm:OdHsfuaxwZ6v1CPwDv3uFteg2EeJUO9a

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

sef7qgz77oamhl5gimls62lekmig5ormf6dcgftblhaxt2cn7emkbuid.onion:80

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
appdata
install_file
HealthCheck.exe
tor_process
WebDebugger

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\00e31655\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\00e31655\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\00e31655\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\00e31655\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\00e31655\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\00e31655\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\00e31655\tor\libevent-2-1-6.dll	acprotect

Executes dropped EXE 11 IoCs

Processes:

WebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exe

pid	process
2240	WebDebugger.exe
2656	WebDebugger.exe
3164	WebDebugger.exe
872	WebDebugger.exe
2244	WebDebugger.exe
4784	WebDebugger.exe
4976	WebDebugger.exe
3068	WebDebugger.exe
4944	WebDebugger.exe
2420	WebDebugger.exe
200	WebDebugger.exe

Loads dropped DLL 64 IoCs

Processes:

WebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exeWebDebugger.exe

pid	process
2240	WebDebugger.exe
2240	WebDebugger.exe
2240	WebDebugger.exe
2240	WebDebugger.exe
2240	WebDebugger.exe
2240	WebDebugger.exe
2240	WebDebugger.exe
2240	WebDebugger.exe
2240	WebDebugger.exe
2656	WebDebugger.exe
2656	WebDebugger.exe
2656	WebDebugger.exe
2656	WebDebugger.exe
2656	WebDebugger.exe
2656	WebDebugger.exe
2656	WebDebugger.exe
3164	WebDebugger.exe
3164	WebDebugger.exe
3164	WebDebugger.exe
3164	WebDebugger.exe
3164	WebDebugger.exe
3164	WebDebugger.exe
3164	WebDebugger.exe
872	WebDebugger.exe
872	WebDebugger.exe
872	WebDebugger.exe
872	WebDebugger.exe
872	WebDebugger.exe
872	WebDebugger.exe
872	WebDebugger.exe
2244	WebDebugger.exe
2244	WebDebugger.exe
2244	WebDebugger.exe
2244	WebDebugger.exe
2244	WebDebugger.exe
2244	WebDebugger.exe
2244	WebDebugger.exe
4784	WebDebugger.exe
4784	WebDebugger.exe
4784	WebDebugger.exe
4784	WebDebugger.exe
4784	WebDebugger.exe
4784	WebDebugger.exe
4784	WebDebugger.exe
4976	WebDebugger.exe
4976	WebDebugger.exe
4976	WebDebugger.exe
4976	WebDebugger.exe
4976	WebDebugger.exe
4976	WebDebugger.exe
4976	WebDebugger.exe
3068	WebDebugger.exe
3068	WebDebugger.exe
3068	WebDebugger.exe
3068	WebDebugger.exe
3068	WebDebugger.exe
3068	WebDebugger.exe
3068	WebDebugger.exe
4944	WebDebugger.exe
4944	WebDebugger.exe
4944	WebDebugger.exe
4944	WebDebugger.exe
4944	WebDebugger.exe
4944	WebDebugger.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe	upx
C:\Users\Admin\AppData\Local\00e31655\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\00e31655\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\00e31655\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\00e31655\tor\libwinpthread-1.dll	upx
behavioral5/memory/2240-34-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
C:\Users\Admin\AppData\Local\00e31655\tor\libgcc_s_sjlj-1.dll	upx
C:\Users\Admin\AppData\Local\00e31655\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\00e31655\tor\libevent-2-1-6.dll	upx
behavioral5/memory/2240-35-0x0000000073B70000-0x0000000073C3E000-memory.dmp	upx
behavioral5/memory/2240-38-0x0000000073950000-0x0000000073A5A000-memory.dmp	upx
behavioral5/memory/2240-37-0x0000000073AF0000-0x0000000073B14000-memory.dmp	upx
behavioral5/memory/2240-43-0x0000000073A60000-0x0000000073AE8000-memory.dmp	upx
behavioral5/memory/2240-36-0x0000000073B20000-0x0000000073B69000-memory.dmp	upx
behavioral5/memory/2240-45-0x0000000073680000-0x000000007394F000-memory.dmp	upx
behavioral5/memory/2240-46-0x0000000073C40000-0x0000000073D08000-memory.dmp	upx
behavioral5/memory/2240-56-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/2240-58-0x0000000073B70000-0x0000000073C3E000-memory.dmp	upx
behavioral5/memory/2240-74-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/2240-76-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/2240-90-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/2240-98-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/2240-114-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/2240-123-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/2240-131-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/2240-139-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/2656-156-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/2656-157-0x0000000073680000-0x000000007394F000-memory.dmp	upx
behavioral5/memory/2656-162-0x0000000073B70000-0x0000000073C3E000-memory.dmp	upx
behavioral5/memory/2656-164-0x0000000073B20000-0x0000000073B69000-memory.dmp	upx
behavioral5/memory/2656-160-0x0000000073C40000-0x0000000073D08000-memory.dmp	upx
behavioral5/memory/2656-165-0x0000000073AF0000-0x0000000073B14000-memory.dmp	upx
behavioral5/memory/2656-166-0x0000000073950000-0x0000000073A5A000-memory.dmp	upx
behavioral5/memory/2656-167-0x0000000073A60000-0x0000000073AE8000-memory.dmp	upx
behavioral5/memory/2656-190-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/2656-191-0x0000000073680000-0x000000007394F000-memory.dmp	upx
behavioral5/memory/2656-220-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/3164-227-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/3164-229-0x0000000073680000-0x000000007394F000-memory.dmp	upx
behavioral5/memory/3164-231-0x0000000073C40000-0x0000000073D08000-memory.dmp	upx
behavioral5/memory/3164-234-0x0000000073B20000-0x0000000073B69000-memory.dmp	upx
behavioral5/memory/3164-232-0x0000000073B70000-0x0000000073C3E000-memory.dmp	upx
behavioral5/memory/3164-236-0x0000000073AF0000-0x0000000073B14000-memory.dmp	upx
behavioral5/memory/3164-238-0x0000000073950000-0x0000000073A5A000-memory.dmp	upx
behavioral5/memory/3164-240-0x0000000073A60000-0x0000000073AE8000-memory.dmp	upx
behavioral5/memory/872-252-0x0000000073980000-0x0000000073A48000-memory.dmp	upx
behavioral5/memory/872-255-0x0000000073A50000-0x0000000073D1F000-memory.dmp	upx
behavioral5/memory/872-256-0x0000000073930000-0x0000000073979000-memory.dmp	upx
behavioral5/memory/872-257-0x0000000073820000-0x000000007392A000-memory.dmp	upx
behavioral5/memory/872-258-0x0000000073790000-0x0000000073818000-memory.dmp	upx
behavioral5/memory/872-259-0x0000000073760000-0x0000000073784000-memory.dmp	upx
behavioral5/memory/872-260-0x0000000073690000-0x000000007375E000-memory.dmp	upx
behavioral5/memory/872-280-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/872-281-0x0000000073980000-0x0000000073A48000-memory.dmp	upx
behavioral5/memory/872-282-0x0000000073A50000-0x0000000073D1F000-memory.dmp	upx
behavioral5/memory/2244-304-0x0000000073980000-0x0000000073A48000-memory.dmp	upx
behavioral5/memory/2244-306-0x0000000073690000-0x000000007375E000-memory.dmp	upx
behavioral5/memory/2244-309-0x0000000073930000-0x0000000073979000-memory.dmp	upx
behavioral5/memory/2244-311-0x0000000073760000-0x0000000073784000-memory.dmp	upx
behavioral5/memory/872-312-0x0000000000F60000-0x0000000001364000-memory.dmp	upx
behavioral5/memory/2244-313-0x0000000073820000-0x000000007392A000-memory.dmp	upx
behavioral5/memory/2244-317-0x0000000073A50000-0x0000000073D1F000-memory.dmp	upx
behavioral5/memory/2244-314-0x0000000073790000-0x0000000073818000-memory.dmp	upx
behavioral5/memory/2244-328-0x0000000000F60000-0x0000000001364000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck.exe촀"	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck.exe"	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck.exe耀"	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck.exe✀"	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe

Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 myexternalip.com
10 myexternalip.com
15 myexternalip.com
27 myexternalip.com
33 myexternalip.com
46 myexternalip.com

flow	ioc
6	myexternalip.com
10	myexternalip.com
15	myexternalip.com
27	myexternalip.com
33	myexternalip.com
46	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe

pid	process
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 54 IoCs

Processes:

426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe

pid	process
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe

description pid process

Token: SeShutdownPrivilege 416 426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe

pid process

416 426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
416 426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe

description	pid	process
Token: SeShutdownPrivilege	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe

description	pid	process	target process
PID 416 wrote to memory of 2240	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 2240	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 2240	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 2656	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 2656	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 2656	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 3164	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 3164	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 3164	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 872	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 872	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 872	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 2244	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 2244	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 2244	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 4784	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 4784	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 4784	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 4976	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 4976	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 4976	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 3068	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 3068	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 3068	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 4944	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 4944	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 4944	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 2420	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 2420	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 2420	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 200	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 200	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe
PID 416 wrote to memory of 200	416	426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe	WebDebugger.exe

C:\Users\Admin\AppData\Local\Temp\426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe
"C:\Users\Admin\AppData\Local\Temp\426bc8bac5cb97b5340b0f347cc70024fb5cc64041149ad923c815aedaf17a7a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:416

C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe
"C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240

C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe
"C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656

C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe
"C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3164

C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe
"C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872

C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe
"C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244

C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe
"C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4784

C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe
"C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4976

C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe
"C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068

C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe
"C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4944

C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe
"C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2420

C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe
"C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe" -f torrc
2⤵
- Executes dropped EXE
PID:200

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\00e31655\tor\WebDebugger.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\data\cached-certs
Filesize
20KB

MD5
c9698cf9fc76729ecc929df700aaa4a9

SHA1
e4423059628f472e6b13029fbabf229a5555e096

SHA256
a2703e796fd5148ca86f56cda3f4f55f1893415f4f06f04e518767593d91c86c

SHA512
07591144bd126ddcc5c72f58c493c705a6cdba8abdd8c8fb67de168315b7f2457ace34861c5ef5d1fc0a25b9d48f839476af8677fd07ab49512afd6efb17400a

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\data\cached-microdesc-consensus
Filesize
2.6MB

MD5
c7e7df0119da2669c8d05dcf0f2cb4c5

SHA1
99324bd69525feb253c665023c9261b3f078818b

SHA256
6b92f204e74bf781bdd6e46152bf993deb86e367e749a29a47ba65f23d8846ff

SHA512
a9fd3259cbca5411df9791b215348d21b5ddd0cad942131ef852167737ee17f76e62c827edcd22c49868063d1af87d878663a15ec02cb53e8afbb75e19f45bab

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\data\cached-microdescs
Filesize
20.3MB

MD5
01f4b5ff1367f1ea3760c51a0bff6c35

SHA1
0b0c9b227b732efacf1663266270735311f5cbd2

SHA256
366f8bceeb278ad40f4b9c6aae3feb5c563493abe7007c65329c2f2ec434d7ae

SHA512
15422bf0276a872d510f7f4db1eeced81bc3210634eefd82d4485401573b415bb43c9cd9ef64aac253d118bcb5b8b96f14c20483471b65ed5d4db7eb9a0a5e30

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\data\cached-microdescs.new
Filesize
20.3MB

MD5
e833247cb0f582ba7e8d17d3d1cd6bfe

SHA1
8606cb1f2cd646a5afa3a721e7d4110eec577268

SHA256
07da4017c8408961a7902a0fb2de71909e895d0e63350ea53c2b5e4c4d512180

SHA512
31debb0ad4ed650eb8ef041844230e2992daca45ef1fab8bbd77cff5ab6e239ca9e841a286d71efc2791a544f25184934aff65693f61ddea60d978d03ccf1424

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\data\cached-microdescs.new
Filesize
5.5MB

MD5
9bdfa2e37f3104eb1f41ef30670ce249

SHA1
0b6b231b83c938071dab9ea39c8c9096b34bc386

SHA256
769041df4b8c7cd99bfc17b5b53f00f6975af74771bcb9198059a7b272dee84a

SHA512
5737c56e774e433f64358e82ac8652de34d7f9908d36e1d043442d666f5b91d1e1fe2e1187b25da2ab7bdaa2401131d50f7e88634a975b56397d17e7acf9c3af

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\data\state
Filesize
232B

MD5
2a0c27fc65e87b2d2ef523b51c2335e2

SHA1
ce4b975f0b9eeb7dc8d47b12593168a6ee1d573a

SHA256
19bac671870ebda0f5d257ba2e3dfd3fee4add4580ec3df2d318b7afd7ec744d

SHA512
a2db05fd55fd329b690890bd7fdd22e40798286fb7f900bebcb192ae763af36f99f0f7f8627ca8f70630f922898e0d688afc98824aa22dec1f3ca3259b33706e

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\data\state
Filesize
5KB

MD5
95d1d8bee351444610306927351b646d

SHA1
50dcdf8e146c85b3b95c510df7b8ce49f006ffb0

SHA256
83296a8b295b60931c19ba0dc209f5dde3eff2d72384516614fc7006bbb72235

SHA512
a611dffae3174453faf765302e9a47dce1498378c58c8f20876c7c6912cc77e13eb31bd370d74414b35d71a7f7a48bc59159f24b7400c3e31ba641b0557be37e

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\data\state
Filesize
3KB

MD5
b11ac1f5c7aa1d7678efb4c2c194f2ba

SHA1
84f91ccdfbdfcf87fc65ab0cf6cb27fa62200654

SHA256
2838fb6e47f747326412b5952d047e746a5cf96dbf2b5d66ee86371ed48a7046

SHA512
a83fb8a81f8e63e48be92b8da8d04c33e4bbd914d63f4e8e88eb7c73cbb231cc7a3d8edede86515321187323763316f818bac8b149b415dd958906c8ba243e71

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\torrc
Filesize
157B

MD5
f7f5ed03553f99d16dde40c6161a8d3c

SHA1
9a985a5f5d976c28790945ea1d0e8fe3f8af98d8

SHA256
3142e667dd2251755b91092cf15f90c64a1551f725d7a6f07abd0b083a6e6397

SHA512
72ac83d07d5081154fbee25f5ce815a2d8de18e265cc00434eaa5537fc97e7c3801001d85d7cd8e838f246cefa61c6fe8b9fd29b3368d639c7b6fc6df43e4e76

Download Submit
C:\Users\Admin\AppData\Local\00e31655\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/416-339-0x00000000746F0000-0x000000007472C000-memory.dmp

Filesize
240KB

Download
memory/416-0-0x0000000000400000-0x0000000000BDB000-memory.dmp

Filesize
7.9MB

Download
memory/416-348-0x0000000073260000-0x000000007329C000-memory.dmp

Filesize
240KB

Download
memory/416-122-0x0000000072730000-0x000000007276C000-memory.dmp

Filesize
240KB

Download
memory/416-1-0x00000000746F0000-0x000000007472C000-memory.dmp

Filesize
240KB

Download
memory/416-55-0x0000000073260000-0x000000007329C000-memory.dmp

Filesize
240KB

Download
memory/872-260-0x0000000073690000-0x000000007375E000-memory.dmp

Filesize
824KB

Download
memory/872-259-0x0000000073760000-0x0000000073784000-memory.dmp

Filesize
144KB

Download
memory/872-281-0x0000000073980000-0x0000000073A48000-memory.dmp

Filesize
800KB

Download
memory/872-280-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/872-252-0x0000000073980000-0x0000000073A48000-memory.dmp

Filesize
800KB

Download
memory/872-255-0x0000000073A50000-0x0000000073D1F000-memory.dmp

Filesize
2.8MB

Download
memory/872-312-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/872-256-0x0000000073930000-0x0000000073979000-memory.dmp

Filesize
292KB

Download
memory/872-282-0x0000000073A50000-0x0000000073D1F000-memory.dmp

Filesize
2.8MB

Download
memory/872-257-0x0000000073820000-0x000000007392A000-memory.dmp

Filesize
1.0MB

Download
memory/872-258-0x0000000073790000-0x0000000073818000-memory.dmp

Filesize
544KB

Download
memory/2240-114-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2240-46-0x0000000073C40000-0x0000000073D08000-memory.dmp

Filesize
800KB

Download
memory/2240-39-0x0000000001E20000-0x0000000001EA8000-memory.dmp

Filesize
544KB

Download
memory/2240-34-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2240-35-0x0000000073B70000-0x0000000073C3E000-memory.dmp

Filesize
824KB

Download
memory/2240-58-0x0000000073B70000-0x0000000073C3E000-memory.dmp

Filesize
824KB

Download
memory/2240-45-0x0000000073680000-0x000000007394F000-memory.dmp

Filesize
2.8MB

Download
memory/2240-131-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2240-44-0x0000000001E20000-0x00000000020EF000-memory.dmp

Filesize
2.8MB

Download
memory/2240-123-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2240-37-0x0000000073AF0000-0x0000000073B14000-memory.dmp

Filesize
144KB

Download
memory/2240-139-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2240-36-0x0000000073B20000-0x0000000073B69000-memory.dmp

Filesize
292KB

Download
memory/2240-43-0x0000000073A60000-0x0000000073AE8000-memory.dmp

Filesize
544KB

Download
memory/2240-38-0x0000000073950000-0x0000000073A5A000-memory.dmp

Filesize
1.0MB

Download
memory/2240-98-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2240-90-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2240-84-0x0000000001E20000-0x00000000020EF000-memory.dmp

Filesize
2.8MB

Download
memory/2240-76-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2240-74-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2240-56-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2244-328-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2244-304-0x0000000073980000-0x0000000073A48000-memory.dmp

Filesize
800KB

Download
memory/2244-306-0x0000000073690000-0x000000007375E000-memory.dmp

Filesize
824KB

Download
memory/2244-309-0x0000000073930000-0x0000000073979000-memory.dmp

Filesize
292KB

Download
memory/2244-311-0x0000000073760000-0x0000000073784000-memory.dmp

Filesize
144KB

Download
memory/2244-313-0x0000000073820000-0x000000007392A000-memory.dmp

Filesize
1.0MB

Download
memory/2244-317-0x0000000073A50000-0x0000000073D1F000-memory.dmp

Filesize
2.8MB

Download
memory/2244-314-0x0000000073790000-0x0000000073818000-memory.dmp

Filesize
544KB

Download
memory/2244-337-0x0000000073980000-0x0000000073A48000-memory.dmp

Filesize
800KB

Download
memory/2244-338-0x0000000073690000-0x000000007375E000-memory.dmp

Filesize
824KB

Download
memory/2244-363-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2656-164-0x0000000073B20000-0x0000000073B69000-memory.dmp

Filesize
292KB

Download
memory/2656-190-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2656-156-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2656-157-0x0000000073680000-0x000000007394F000-memory.dmp

Filesize
2.8MB

Download
memory/2656-162-0x0000000073B70000-0x0000000073C3E000-memory.dmp

Filesize
824KB

Download
memory/2656-160-0x0000000073C40000-0x0000000073D08000-memory.dmp

Filesize
800KB

Download
memory/2656-165-0x0000000073AF0000-0x0000000073B14000-memory.dmp

Filesize
144KB

Download
memory/2656-166-0x0000000073950000-0x0000000073A5A000-memory.dmp

Filesize
1.0MB

Download
memory/2656-167-0x0000000073A60000-0x0000000073AE8000-memory.dmp

Filesize
544KB

Download
memory/2656-220-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2656-191-0x0000000073680000-0x000000007394F000-memory.dmp

Filesize
2.8MB

Download
memory/3164-229-0x0000000073680000-0x000000007394F000-memory.dmp

Filesize
2.8MB

Download
memory/3164-238-0x0000000073950000-0x0000000073A5A000-memory.dmp

Filesize
1.0MB

Download
memory/3164-240-0x0000000073A60000-0x0000000073AE8000-memory.dmp

Filesize
544KB

Download
memory/3164-231-0x0000000073C40000-0x0000000073D08000-memory.dmp

Filesize
800KB

Download
memory/3164-234-0x0000000073B20000-0x0000000073B69000-memory.dmp

Filesize
292KB

Download
memory/3164-232-0x0000000073B70000-0x0000000073C3E000-memory.dmp

Filesize
824KB

Download
memory/3164-236-0x0000000073AF0000-0x0000000073B14000-memory.dmp

Filesize
144KB

Download
memory/3164-227-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/4784-357-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/4784-361-0x0000000073980000-0x0000000073A48000-memory.dmp

Filesize
800KB

Download
memory/4784-362-0x0000000073690000-0x000000007375E000-memory.dmp

Filesize
824KB

Download
memory/4784-359-0x0000000073A50000-0x0000000073D1F000-memory.dmp

Filesize
2.8MB

Download
memory/4784-364-0x0000000073930000-0x0000000073979000-memory.dmp

Filesize
292KB

Download
memory/4784-365-0x0000000073760000-0x0000000073784000-memory.dmp

Filesize
144KB

Download