quasar | f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827

Analysis

max time kernel
153s
max time network
97s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe
Size

8.0MB
MD5

003663017d3ef845190636d56c4477fb
SHA1

fc8967e75ea99849ee703c262df58301933a89d7
SHA256

f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827
SHA512

15ebd16f8f64fe0a57a1bf819653817363a5bbcc665839e4f5dd0819204f502009bda12e938d3cf8f368c84a0b26b4a892f2c9f5fe9546f97fc80ab937c306b1

Score

10^/10

quasar trade bootkit discovery evasion persistence spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

trade

wrz.ddns.net:5700

Mutex

QSR_MUTEX_HQ4Y5Dn1t3ivwyhc79

Attributes

encryption_key
jlIbt3DTqIrhsELlJ19e
install_name
swctlsrv.exe
log_directory
Logs
reconnect_delay
3000
startup_key
microsoft_update_tool
subdirectory
SubDir

Signatures

Quasar Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1796-77-0x0000000000AD0000-0x0000000000E88000-memory.dmp	family_quasar
behavioral1/memory/1796-79-0x0000000000AD0000-0x0000000000E88000-memory.dmp	family_quasar
behavioral1/memory/1544-94-0x00000000008D0000-0x0000000000C88000-memory.dmp	family_quasar
behavioral1/memory/1544-95-0x00000000008D0000-0x0000000000C88000-memory.dmp	family_quasar
behavioral1/memory/1544-96-0x0000000077300000-0x0000000077480000-memory.dmp	family_quasar
behavioral1/memory/1312-123-0x00000000008D0000-0x0000000000C88000-memory.dmp	family_quasar
behavioral1/memory/1312-124-0x00000000008D0000-0x0000000000C88000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 9 IoCs

Processes:

syshost.exesvchst.exeswchst.exeswctlsrv.execmifw.execmifw.exeswctlsrv.execmifw.execmifw.exe

pid process

748 syshost.exe
1712 svchst.exe
1796 swchst.exe
1544 swctlsrv.exe
1296 cmifw.exe
1672 cmifw.exe
1312 swctlsrv.exe
1028 cmifw.exe
1752 cmifw.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

syshost.exesvchst.exeswctlsrv.execmifw.execmifw.exeswchst.exeswctlsrv.execmifw.execmifw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	syshost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	syshost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	swctlsrv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmifw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmifw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	swchst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	swchst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	swctlsrv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmifw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmifw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	swctlsrv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	swctlsrv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmifw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmifw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmifw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmifw.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1824 cmd.exe

pid	process
1824	cmd.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

swctlsrv.execmifw.execmifw.execmifw.exesyshost.exeswchst.exeswctlsrv.exesvchst.execmifw.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine	swctlsrv.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine	cmifw.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine	cmifw.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine	cmifw.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine	syshost.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine	swchst.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine	swctlsrv.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine	svchst.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine	cmifw.exe

Loads dropped DLL 9 IoCs

Processes:

f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exeswchst.exeWerFault.exe

pid	process
1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe
1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe
1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe
1796	swchst.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

428 icacls.exe
564 icacls.exe
2004 icacls.exe

pid	process
428	icacls.exe
564	icacls.exe
2004	icacls.exe

Checks whether UAC is enabled 1 TTPs 9 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

swctlsrv.execmifw.exesvchst.exeswctlsrv.execmifw.execmifw.exesyshost.exeswchst.execmifw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	swctlsrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmifw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchst.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	swctlsrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmifw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmifw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	syshost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	swchst.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmifw.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

swctlsrv.exesyshost.exeswchst.exeswctlsrv.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	swctlsrv.exe
File opened for modification	\??\PhysicalDrive0	syshost.exe
File opened for modification	\??\PhysicalDrive0	swchst.exe
File opened for modification	\??\PhysicalDrive0	swctlsrv.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1712-80-0x00000000010A0000-0x000000000149D000-memory.dmp	autoit_exe
behavioral1/memory/1672-107-0x0000000001150000-0x000000000154D000-memory.dmp	autoit_exe
behavioral1/memory/1296-106-0x0000000001150000-0x000000000154D000-memory.dmp	autoit_exe
behavioral1/memory/1312-122-0x0000000077300000-0x0000000077480000-memory.dmp	autoit_exe
behavioral1/memory/1028-130-0x0000000001150000-0x000000000154D000-memory.dmp	autoit_exe
behavioral1/memory/1752-136-0x0000000001150000-0x000000000154D000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

syshost.exesvchst.exeswchst.exeswctlsrv.execmifw.execmifw.exeswctlsrv.execmifw.execmifw.exe

pid process

748 syshost.exe
1712 svchst.exe
1796 swchst.exe
1544 swctlsrv.exe
1296 cmifw.exe
1672 cmifw.exe
1312 swctlsrv.exe
1028 cmifw.exe
1752 cmifw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1548 1544 WerFault.exe swctlsrv.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1656 schtasks.exe
1828 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

812 timeout.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

684 PING.EXE

pid	pid_target	process	target process
1548	1544	WerFault.exe	swctlsrv.exe

pid	process
1656	schtasks.exe
1828	schtasks.exe

pid	process
812	timeout.exe

pid	process
684	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

syshost.exesvchst.exeswchst.exeswctlsrv.execmifw.execmifw.exe

pid	process
748	syshost.exe
1712	svchst.exe
1796	swchst.exe
1544	swctlsrv.exe
1296	cmifw.exe
1672	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe
1296	cmifw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

swchst.exeswctlsrv.exe

description pid process

Token: SeDebugPrivilege 1796 swchst.exe
Token: SeDebugPrivilege 1544 swctlsrv.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

swctlsrv.exe

pid process

1544 swctlsrv.exe

description	pid	process
Token: SeDebugPrivilege	1796	swchst.exe
Token: SeDebugPrivilege	1544	swctlsrv.exe

pid	process
1544	swctlsrv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.execmd.exesvchst.execmd.exeswchst.exeswctlsrv.exetaskeng.execmd.exe

description	pid	process	target process
PID 1296 wrote to memory of 748	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	syshost.exe
PID 1296 wrote to memory of 748	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	syshost.exe
PID 1296 wrote to memory of 748	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	syshost.exe
PID 1296 wrote to memory of 748	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	syshost.exe
PID 1296 wrote to memory of 1712	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	svchst.exe
PID 1296 wrote to memory of 1712	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	svchst.exe
PID 1296 wrote to memory of 1712	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	svchst.exe
PID 1296 wrote to memory of 1712	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	svchst.exe
PID 1296 wrote to memory of 1796	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	swchst.exe
PID 1296 wrote to memory of 1796	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	swchst.exe
PID 1296 wrote to memory of 1796	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	swchst.exe
PID 1296 wrote to memory of 1796	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	swchst.exe
PID 1296 wrote to memory of 1824	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	cmd.exe
PID 1296 wrote to memory of 1824	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	cmd.exe
PID 1296 wrote to memory of 1824	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	cmd.exe
PID 1296 wrote to memory of 1824	1296	f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe	cmd.exe
PID 1824 wrote to memory of 812	1824	cmd.exe	timeout.exe
PID 1824 wrote to memory of 812	1824	cmd.exe	timeout.exe
PID 1824 wrote to memory of 812	1824	cmd.exe	timeout.exe
PID 1824 wrote to memory of 812	1824	cmd.exe	timeout.exe
PID 1712 wrote to memory of 1168	1712	svchst.exe	cmd.exe
PID 1712 wrote to memory of 1168	1712	svchst.exe	cmd.exe
PID 1712 wrote to memory of 1168	1712	svchst.exe	cmd.exe
PID 1712 wrote to memory of 1168	1712	svchst.exe	cmd.exe
PID 1168 wrote to memory of 428	1168	cmd.exe	icacls.exe
PID 1168 wrote to memory of 428	1168	cmd.exe	icacls.exe
PID 1168 wrote to memory of 428	1168	cmd.exe	icacls.exe
PID 1168 wrote to memory of 428	1168	cmd.exe	icacls.exe
PID 1168 wrote to memory of 564	1168	cmd.exe	icacls.exe
PID 1168 wrote to memory of 564	1168	cmd.exe	icacls.exe
PID 1168 wrote to memory of 564	1168	cmd.exe	icacls.exe
PID 1168 wrote to memory of 564	1168	cmd.exe	icacls.exe
PID 1168 wrote to memory of 2004	1168	cmd.exe	icacls.exe
PID 1168 wrote to memory of 2004	1168	cmd.exe	icacls.exe
PID 1168 wrote to memory of 2004	1168	cmd.exe	icacls.exe
PID 1168 wrote to memory of 2004	1168	cmd.exe	icacls.exe
PID 1796 wrote to memory of 1656	1796	swchst.exe	schtasks.exe
PID 1796 wrote to memory of 1656	1796	swchst.exe	schtasks.exe
PID 1796 wrote to memory of 1656	1796	swchst.exe	schtasks.exe
PID 1796 wrote to memory of 1656	1796	swchst.exe	schtasks.exe
PID 1796 wrote to memory of 1544	1796	swchst.exe	swctlsrv.exe
PID 1796 wrote to memory of 1544	1796	swchst.exe	swctlsrv.exe
PID 1796 wrote to memory of 1544	1796	swchst.exe	swctlsrv.exe
PID 1796 wrote to memory of 1544	1796	swchst.exe	swctlsrv.exe
PID 1544 wrote to memory of 1828	1544	swctlsrv.exe	schtasks.exe
PID 1544 wrote to memory of 1828	1544	swctlsrv.exe	schtasks.exe
PID 1544 wrote to memory of 1828	1544	swctlsrv.exe	schtasks.exe
PID 1544 wrote to memory of 1828	1544	swctlsrv.exe	schtasks.exe
PID 1620 wrote to memory of 1296	1620	taskeng.exe	cmifw.exe
PID 1620 wrote to memory of 1296	1620	taskeng.exe	cmifw.exe
PID 1620 wrote to memory of 1296	1620	taskeng.exe	cmifw.exe
PID 1620 wrote to memory of 1296	1620	taskeng.exe	cmifw.exe
PID 1620 wrote to memory of 1672	1620	taskeng.exe	cmifw.exe
PID 1620 wrote to memory of 1672	1620	taskeng.exe	cmifw.exe
PID 1620 wrote to memory of 1672	1620	taskeng.exe	cmifw.exe
PID 1620 wrote to memory of 1672	1620	taskeng.exe	cmifw.exe
PID 1544 wrote to memory of 560	1544	swctlsrv.exe	cmd.exe
PID 1544 wrote to memory of 560	1544	swctlsrv.exe	cmd.exe
PID 1544 wrote to memory of 560	1544	swctlsrv.exe	cmd.exe
PID 1544 wrote to memory of 560	1544	swctlsrv.exe	cmd.exe
PID 560 wrote to memory of 1036	560	cmd.exe	chcp.com
PID 560 wrote to memory of 1036	560	cmd.exe	chcp.com
PID 560 wrote to memory of 1036	560	cmd.exe	chcp.com
PID 560 wrote to memory of 1036	560	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe
"C:\Users\Admin\AppData\Local\Temp\f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Roaming\syshost.exe
C:\Users\Admin\AppData\Roaming\syshost.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:748

C:\Users\Admin\AppData\Roaming\svchst.exe
C:\Users\Admin\AppData\Roaming\svchst.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
3⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:428

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:564

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:2004

C:\Users\Admin\AppData\Roaming\swchst.exe
C:\Users\Admin\AppData\Roaming\swchst.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "microsoft_update_tool" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\swchst.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1656

C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe
"C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "microsoft_update_tool" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MoOc6hmu6xeP.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:1036

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:684

C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe
"C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1572
4⤵
- Loads dropped DLL
- Program crash
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\F92A19~1.EXE"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\F92A19~1.EXE" exit)
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\timeout.exe
timeout /t 0
3⤵
- Delays execution with timeout.exe
PID:812

C:\Windows\system32\taskeng.exe
taskeng.exe {4D5D4EDD-628A-4575-BF3C-2BC14EE8D488} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1672

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1028

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mntemp
Filesize
16B

MD5
723d8391974df8e696604e614b4ee920

SHA1
aa526cf27940b598b6a8ba4a5464fa2c0f85c55f

SHA256
b42a23871cf89b0bc1c8878bc3c001b0ebd95cd1f658579c09d9395bc901f38c

SHA512
7348cb81f8711222ab37d07e970dd804ddc46e1f44bc0a9056361f89bd460ada312791a602e8786b3988d332ae6dbe8c65a849f9d433b931334633b8e28beecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoOc6hmu6xeP.bat
Filesize
209B

MD5
8bdf75a1f1ab8a1529d790b3df033562

SHA1
a9c653b0e14248bd9ba8de3407c8449c7e8a0439

SHA256
677eef11db8f91a8edb2427b2ec922f2ccc31330c07d427e23acbbf2d7ee64fd

SHA512
e3e7fada22b8ab1ee66a2558f4c582846d69803158f4d60c4e58bafe540e3dff499a35e401056ab81ae1e047387474a5041406f71db9b34b13c49386b263c934

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe
Filesize
1.6MB

MD5
6ffcb6f30bdb7c5f47d2b9a7cf0802d7

SHA1
b3bf06b3db7f811d472ccb6026a6d45365f6d871

SHA256
93db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a

SHA512
83c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe
Filesize
1.6MB

MD5
6ffcb6f30bdb7c5f47d2b9a7cf0802d7

SHA1
b3bf06b3db7f811d472ccb6026a6d45365f6d871

SHA256
93db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a

SHA512
83c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe
Filesize
1.6MB

MD5
6ffcb6f30bdb7c5f47d2b9a7cf0802d7

SHA1
b3bf06b3db7f811d472ccb6026a6d45365f6d871

SHA256
93db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a

SHA512
83c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a

Download Submit
C:\Users\Admin\AppData\Roaming\svchst.exe
Filesize
1.8MB

MD5
703434861057ed7634a5e5ef4164cd3e

SHA1
0ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae

SHA256
e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1

SHA512
98e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114

Download Submit
C:\Users\Admin\AppData\Roaming\svchst.exe
Filesize
1.8MB

MD5
703434861057ed7634a5e5ef4164cd3e

SHA1
0ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae

SHA256
e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1

SHA512
98e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114

Download Submit
C:\Users\Admin\AppData\Roaming\swchst.exe
Filesize
1.6MB

MD5
6ffcb6f30bdb7c5f47d2b9a7cf0802d7

SHA1
b3bf06b3db7f811d472ccb6026a6d45365f6d871

SHA256
93db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a

SHA512
83c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a

Download Submit
C:\Users\Admin\AppData\Roaming\swchst.exe
Filesize
1.6MB

MD5
6ffcb6f30bdb7c5f47d2b9a7cf0802d7

SHA1
b3bf06b3db7f811d472ccb6026a6d45365f6d871

SHA256
93db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a

SHA512
83c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a

Download Submit
C:\Users\Admin\AppData\Roaming\syshost.exe
Filesize
1.6MB

MD5
eed9348f0146e0b4c4d6f54cc98cfd0e

SHA1
ffdf9491b21e3fed32ae90aa1e594934e1fbd339

SHA256
1fe17e478f59195cec8ade2f79596aeff8930a3f575a8d9ad7a48306a817082e

SHA512
eb8a57d6d8a25ac0aa90dad6716a632cec03eb0be7eb25c1c210e5c0eb59e415513cf5895c3d91f0f1ff781c175f941670a5663c045c2a7f78db173f95829705

Download Submit
C:\Users\Admin\AppData\Roaming\syshost.exe
Filesize
1.6MB

MD5
eed9348f0146e0b4c4d6f54cc98cfd0e

SHA1
ffdf9491b21e3fed32ae90aa1e594934e1fbd339

SHA256
1fe17e478f59195cec8ade2f79596aeff8930a3f575a8d9ad7a48306a817082e

SHA512
eb8a57d6d8a25ac0aa90dad6716a632cec03eb0be7eb25c1c210e5c0eb59e415513cf5895c3d91f0f1ff781c175f941670a5663c045c2a7f78db173f95829705

Download Submit
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe
Filesize
1.8MB

MD5
703434861057ed7634a5e5ef4164cd3e

SHA1
0ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae

SHA256
e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1

SHA512
98e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114

Download Submit
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe
Filesize
1.8MB

MD5
703434861057ed7634a5e5ef4164cd3e

SHA1
0ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae

SHA256
e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1

SHA512
98e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114

Download Submit
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe
Filesize
1.8MB

MD5
703434861057ed7634a5e5ef4164cd3e

SHA1
0ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae

SHA256
e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1

SHA512
98e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114

Download Submit
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe
Filesize
1.8MB

MD5
703434861057ed7634a5e5ef4164cd3e

SHA1
0ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae

SHA256
e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1

SHA512
98e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114

Download Submit
\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe
Filesize
1.6MB

MD5
6ffcb6f30bdb7c5f47d2b9a7cf0802d7

SHA1
b3bf06b3db7f811d472ccb6026a6d45365f6d871

SHA256
93db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a

SHA512
83c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a

Download Submit
\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe
Filesize
1.6MB

MD5
6ffcb6f30bdb7c5f47d2b9a7cf0802d7

SHA1
b3bf06b3db7f811d472ccb6026a6d45365f6d871

SHA256
93db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a

SHA512
83c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a

Download Submit
\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe
Filesize
1.6MB

MD5
6ffcb6f30bdb7c5f47d2b9a7cf0802d7

SHA1
b3bf06b3db7f811d472ccb6026a6d45365f6d871

SHA256
93db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a

SHA512
83c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a

Download Submit
\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe
Filesize
1.6MB

MD5
6ffcb6f30bdb7c5f47d2b9a7cf0802d7

SHA1
b3bf06b3db7f811d472ccb6026a6d45365f6d871

SHA256
93db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a

SHA512
83c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a

Download Submit
\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe
Filesize
1.6MB

MD5
6ffcb6f30bdb7c5f47d2b9a7cf0802d7

SHA1
b3bf06b3db7f811d472ccb6026a6d45365f6d871

SHA256
93db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a

SHA512
83c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a

Download Submit
\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe
Filesize
1.6MB

MD5
6ffcb6f30bdb7c5f47d2b9a7cf0802d7

SHA1
b3bf06b3db7f811d472ccb6026a6d45365f6d871

SHA256
93db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a

SHA512
83c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a

Download Submit
\Users\Admin\AppData\Roaming\svchst.exe
Filesize
1.8MB

MD5
703434861057ed7634a5e5ef4164cd3e

SHA1
0ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae

SHA256
e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1

SHA512
98e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114

Download Submit
\Users\Admin\AppData\Roaming\swchst.exe
Filesize
1.6MB

MD5
6ffcb6f30bdb7c5f47d2b9a7cf0802d7

SHA1
b3bf06b3db7f811d472ccb6026a6d45365f6d871

SHA256
93db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a

SHA512
83c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a

Download Submit
\Users\Admin\AppData\Roaming\syshost.exe
Filesize
1.6MB

MD5
eed9348f0146e0b4c4d6f54cc98cfd0e

SHA1
ffdf9491b21e3fed32ae90aa1e594934e1fbd339

SHA256
1fe17e478f59195cec8ade2f79596aeff8930a3f575a8d9ad7a48306a817082e

SHA512
eb8a57d6d8a25ac0aa90dad6716a632cec03eb0be7eb25c1c210e5c0eb59e415513cf5895c3d91f0f1ff781c175f941670a5663c045c2a7f78db173f95829705

Download Submit
memory/428-84-0x0000000000000000-mapping.dmp

Download
memory/560-108-0x0000000000000000-mapping.dmp

Download
memory/564-85-0x0000000000000000-mapping.dmp

Download
memory/684-111-0x0000000000000000-mapping.dmp

Download
memory/748-72-0x0000000077300000-0x0000000077480000-memory.dmp

Filesize
1.5MB

Download
memory/748-71-0x0000000000B40000-0x0000000000F00000-memory.dmp

Filesize
3.8MB

Download
memory/748-56-0x0000000000000000-mapping.dmp

Download
memory/748-70-0x0000000000B40000-0x0000000000F00000-memory.dmp

Filesize
3.8MB

Download
memory/812-81-0x0000000000000000-mapping.dmp

Download
memory/1028-129-0x0000000077300000-0x0000000077480000-memory.dmp

Filesize
1.5MB

Download
memory/1028-130-0x0000000001150000-0x000000000154D000-memory.dmp

Filesize
4.0MB

Download
memory/1028-125-0x0000000000000000-mapping.dmp

Download
memory/1036-110-0x0000000000000000-mapping.dmp

Download
memory/1168-83-0x0000000000000000-mapping.dmp

Download
memory/1296-106-0x0000000001150000-0x000000000154D000-memory.dmp

Filesize
4.0MB

Download
memory/1296-54-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1296-98-0x0000000000000000-mapping.dmp

Download
memory/1312-122-0x0000000077300000-0x0000000077480000-memory.dmp

Filesize
1.5MB

Download
memory/1312-124-0x00000000008D0000-0x0000000000C88000-memory.dmp

Filesize
3.7MB

Download
memory/1312-123-0x00000000008D0000-0x0000000000C88000-memory.dmp

Filesize
3.7MB

Download
memory/1312-118-0x0000000000000000-mapping.dmp

Download
memory/1544-89-0x0000000000000000-mapping.dmp

Download
memory/1544-96-0x0000000077300000-0x0000000077480000-memory.dmp

Filesize
1.5MB

Download
memory/1544-95-0x00000000008D0000-0x0000000000C88000-memory.dmp

Filesize
3.7MB

Download
memory/1544-94-0x00000000008D0000-0x0000000000C88000-memory.dmp

Filesize
3.7MB

Download
memory/1548-112-0x0000000000000000-mapping.dmp

Download
memory/1656-87-0x0000000000000000-mapping.dmp

Download
memory/1672-99-0x0000000000000000-mapping.dmp

Download
memory/1672-107-0x0000000001150000-0x000000000154D000-memory.dmp

Filesize
4.0MB

Download
memory/1712-80-0x00000000010A0000-0x000000000149D000-memory.dmp

Filesize
4.0MB

Download
memory/1712-59-0x0000000000000000-mapping.dmp

Download
memory/1752-135-0x0000000077300000-0x0000000077480000-memory.dmp

Filesize
1.5MB

Download
memory/1752-136-0x0000000001150000-0x000000000154D000-memory.dmp

Filesize
4.0MB

Download
memory/1752-131-0x0000000000000000-mapping.dmp

Download
memory/1796-77-0x0000000000AD0000-0x0000000000E88000-memory.dmp

Filesize
3.7MB

Download
memory/1796-82-0x0000000077300000-0x0000000077480000-memory.dmp

Filesize
1.5MB

Download
memory/1796-79-0x0000000000AD0000-0x0000000000E88000-memory.dmp

Filesize
3.7MB

Download
memory/1796-65-0x0000000000000000-mapping.dmp

Download
memory/1824-78-0x0000000000000000-mapping.dmp

Download
memory/1828-97-0x0000000000000000-mapping.dmp

Download
memory/2004-86-0x0000000000000000-mapping.dmp

Download