quasar | c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe
Size

1.4MB
MD5

f26ef938c2c4235c5e4cdb4ebb801fca
SHA1

7c3413c638ea0c93cf2951cf05249df89bd98ff8
SHA256

c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272
SHA512

84d9d421b6794d412f55d8db296d55b46d25c0980da4a75eacf39d9ad912403bfd0a09142c907328df47b0a676826bd8a0ac422d6e89541da5ca49c13f073096
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

10^/10

quasar -discovery evasion execution persistence privilege_escalation spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

94.131.105.161:12344

Mutex

QSR_MUTEX_UEgITWnMKnRP3EZFzK

Attributes

encryption_key
5Q0JQBQQfAUHRJTcAIOF
install_name
lient.exe
log_directory
Lugs
reconnect_delay
3000
startup_key
itartup
subdirectory
SubDir

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\Music\\rot.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\Music\\rot.exe,"	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1572-149-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1912 powershell.exe
1340 powershell.exe
3236 powershell.exe
1148 powershell.exe
2784 powershell.exe
1712 powershell.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4596 netsh.exe
3068 netsh.exe

pid	process
1912	powershell.exe
1340	powershell.exe
3236	powershell.exe
1148	powershell.exe
2784	powershell.exe
1712	powershell.exe

pid	process
4596	netsh.exe
3068	netsh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7z.dll	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe

Executes dropped EXE 4 IoCs

Processes:

7z.exeratt.exeratt.exerot.exe

pid process

4420 7z.exe
2784 ratt.exe
4748 ratt.exe
2060 rot.exe
Loads dropped DLL 1 IoCs

Processes:

7z.exe

pid process

4420 7z.exe
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

pid	process
4420	7z.exe
2784	ratt.exe
4748	ratt.exe
2060	rot.exe

pid	process
4420	7z.exe

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ratt = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ratt.exe"	reg.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

59 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

rot.exe

description pid process target process

PID 2060 set thread context of 1572 2060 rot.exe InstallUtil.exe

flow	ioc
59	ip-api.com

description	pid	process	target process
PID 2060 set thread context of 1572	2060	rot.exe	InstallUtil.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4420-80-0x0000000000400000-0x0000000000432000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\7z.exe	upx
C:\Users\Admin\AppData\Local\Temp\7z.dll	upx
behavioral2/memory/4420-84-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral2/memory/4420-88-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeWMIC.exeratt.exereg.exereg.execmd.execmd.exeWMIC.exereg.exepowershell.execmd.exepowershell.exe7z.exeratt.exePING.EXEPING.EXEpowershell.exenetsh.exePING.EXEcmd.execmd.execmd.exenslookup.exepowershell.exeWMIC.execmd.exec5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exepowershell.exenetsh.exeattrib.exePING.EXErot.exeInstallUtil.execmd.exePING.EXEcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ratt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ratt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEPING.EXEcmd.exePING.EXEPING.EXEPING.EXEcmd.execmd.execmd.exe

pid process

1148 PING.EXE
224 PING.EXE
4664 cmd.exe
4912 PING.EXE
3976 PING.EXE
3996 PING.EXE
1912 cmd.exe
1516 cmd.exe
1976 cmd.exe
Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

224 PING.EXE
4912 PING.EXE
3976 PING.EXE
3996 PING.EXE
1148 PING.EXE

pid	process
1148	PING.EXE
224	PING.EXE
4664	cmd.exe
4912	PING.EXE
3976	PING.EXE
3996	PING.EXE
1912	cmd.exe
1516	cmd.exe
1976	cmd.exe

pid	process
224	PING.EXE
4912	PING.EXE
3976	PING.EXE
3996	PING.EXE
1148	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeratt.exeratt.exe

pid	process
3236	powershell.exe
3236	powershell.exe
1148	powershell.exe
1148	powershell.exe
2784	powershell.exe
2784	powershell.exe
1912	powershell.exe
1912	powershell.exe
1340	powershell.exe
1340	powershell.exe
1712	powershell.exe
1712	powershell.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
4748	ratt.exe
4748	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
2784	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe
4748	ratt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1636	WMIC.exe
Token: SeSecurityPrivilege	1636	WMIC.exe
Token: SeTakeOwnershipPrivilege	1636	WMIC.exe
Token: SeLoadDriverPrivilege	1636	WMIC.exe
Token: SeSystemProfilePrivilege	1636	WMIC.exe
Token: SeSystemtimePrivilege	1636	WMIC.exe
Token: SeProfSingleProcessPrivilege	1636	WMIC.exe
Token: SeIncBasePriorityPrivilege	1636	WMIC.exe
Token: SeCreatePagefilePrivilege	1636	WMIC.exe
Token: SeBackupPrivilege	1636	WMIC.exe
Token: SeRestorePrivilege	1636	WMIC.exe
Token: SeShutdownPrivilege	1636	WMIC.exe
Token: SeDebugPrivilege	1636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1636	WMIC.exe
Token: SeRemoteShutdownPrivilege	1636	WMIC.exe
Token: SeUndockPrivilege	1636	WMIC.exe
Token: SeManageVolumePrivilege	1636	WMIC.exe
Token: 33	1636	WMIC.exe
Token: 34	1636	WMIC.exe
Token: 35	1636	WMIC.exe
Token: 36	1636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1636	WMIC.exe
Token: SeSecurityPrivilege	1636	WMIC.exe
Token: SeTakeOwnershipPrivilege	1636	WMIC.exe
Token: SeLoadDriverPrivilege	1636	WMIC.exe
Token: SeSystemProfilePrivilege	1636	WMIC.exe
Token: SeSystemtimePrivilege	1636	WMIC.exe
Token: SeProfSingleProcessPrivilege	1636	WMIC.exe
Token: SeIncBasePriorityPrivilege	1636	WMIC.exe
Token: SeCreatePagefilePrivilege	1636	WMIC.exe
Token: SeBackupPrivilege	1636	WMIC.exe
Token: SeRestorePrivilege	1636	WMIC.exe
Token: SeShutdownPrivilege	1636	WMIC.exe
Token: SeDebugPrivilege	1636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1636	WMIC.exe
Token: SeRemoteShutdownPrivilege	1636	WMIC.exe
Token: SeUndockPrivilege	1636	WMIC.exe
Token: SeManageVolumePrivilege	1636	WMIC.exe
Token: 33	1636	WMIC.exe
Token: 34	1636	WMIC.exe
Token: 35	1636	WMIC.exe
Token: 36	1636	WMIC.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeIncreaseQuotaPrivilege	1032	WMIC.exe
Token: SeSecurityPrivilege	1032	WMIC.exe
Token: SeTakeOwnershipPrivilege	1032	WMIC.exe
Token: SeLoadDriverPrivilege	1032	WMIC.exe
Token: SeSystemProfilePrivilege	1032	WMIC.exe
Token: SeSystemtimePrivilege	1032	WMIC.exe
Token: SeProfSingleProcessPrivilege	1032	WMIC.exe
Token: SeIncBasePriorityPrivilege	1032	WMIC.exe
Token: SeCreatePagefilePrivilege	1032	WMIC.exe
Token: SeBackupPrivilege	1032	WMIC.exe
Token: SeRestorePrivilege	1032	WMIC.exe
Token: SeShutdownPrivilege	1032	WMIC.exe
Token: SeDebugPrivilege	1032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1032	WMIC.exe
Token: SeRemoteShutdownPrivilege	1032	WMIC.exe
Token: SeUndockPrivilege	1032	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

1572 InstallUtil.exe

pid	process
1572	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.execmd.execmd.execmd.exepowershell.execmd.execmd.exeratt.exe

description	pid	process	target process
PID 4804 wrote to memory of 2880	4804	c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe	cmd.exe
PID 4804 wrote to memory of 2880	4804	c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe	cmd.exe
PID 4804 wrote to memory of 2880	4804	c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe	cmd.exe
PID 2880 wrote to memory of 4072	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 4072	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 4072	2880	cmd.exe	cmd.exe
PID 4072 wrote to memory of 3704	4072	cmd.exe	nslookup.exe
PID 4072 wrote to memory of 3704	4072	cmd.exe	nslookup.exe
PID 4072 wrote to memory of 3704	4072	cmd.exe	nslookup.exe
PID 2880 wrote to memory of 3044	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 3044	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 3044	2880	cmd.exe	cmd.exe
PID 3044 wrote to memory of 1636	3044	cmd.exe	WMIC.exe
PID 3044 wrote to memory of 1636	3044	cmd.exe	WMIC.exe
PID 3044 wrote to memory of 1636	3044	cmd.exe	WMIC.exe
PID 2880 wrote to memory of 3236	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 3236	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 3236	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1148	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1148	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1148	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2784	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2784	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2784	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1912	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1912	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1912	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1340	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1340	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1340	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 4420	2880	cmd.exe	7z.exe
PID 2880 wrote to memory of 4420	2880	cmd.exe	7z.exe
PID 2880 wrote to memory of 4420	2880	cmd.exe	7z.exe
PID 2880 wrote to memory of 1712	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1712	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1712	2880	cmd.exe	powershell.exe
PID 1712 wrote to memory of 3068	1712	powershell.exe	netsh.exe
PID 1712 wrote to memory of 3068	1712	powershell.exe	netsh.exe
PID 1712 wrote to memory of 3068	1712	powershell.exe	netsh.exe
PID 1712 wrote to memory of 4596	1712	powershell.exe	netsh.exe
PID 1712 wrote to memory of 4596	1712	powershell.exe	netsh.exe
PID 1712 wrote to memory of 4596	1712	powershell.exe	netsh.exe
PID 1712 wrote to memory of 1132	1712	powershell.exe	cmd.exe
PID 1712 wrote to memory of 1132	1712	powershell.exe	cmd.exe
PID 1712 wrote to memory of 1132	1712	powershell.exe	cmd.exe
PID 1132 wrote to memory of 1032	1132	cmd.exe	WMIC.exe
PID 1132 wrote to memory of 1032	1132	cmd.exe	WMIC.exe
PID 1132 wrote to memory of 1032	1132	cmd.exe	WMIC.exe
PID 1712 wrote to memory of 2060	1712	powershell.exe	cmd.exe
PID 1712 wrote to memory of 2060	1712	powershell.exe	cmd.exe
PID 1712 wrote to memory of 2060	1712	powershell.exe	cmd.exe
PID 2060 wrote to memory of 1160	2060	cmd.exe	WMIC.exe
PID 2060 wrote to memory of 1160	2060	cmd.exe	WMIC.exe
PID 2060 wrote to memory of 1160	2060	cmd.exe	WMIC.exe
PID 1712 wrote to memory of 2784	1712	powershell.exe	ratt.exe
PID 1712 wrote to memory of 2784	1712	powershell.exe	ratt.exe
PID 1712 wrote to memory of 2784	1712	powershell.exe	ratt.exe
PID 1712 wrote to memory of 4424	1712	powershell.exe	attrib.exe
PID 1712 wrote to memory of 4424	1712	powershell.exe	attrib.exe
PID 1712 wrote to memory of 4424	1712	powershell.exe	attrib.exe
PID 2880 wrote to memory of 2980	2880	cmd.exe	reg.exe
PID 2880 wrote to memory of 2980	2880	cmd.exe	reg.exe
PID 2880 wrote to memory of 2980	2880	cmd.exe	reg.exe
PID 2784 wrote to memory of 1912	2784	ratt.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4424 attrib.exe

pid	process
4424	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe
"C:\Users\Admin\AppData\Local\Temp\c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SysWOW64\nslookup.exe
nslookup myip.opendns.com. resolver1.opendns.com
4⤵
- System Location Discovery: System Language Discovery
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic ComputerSystem get Domain
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Users\Admin\AppData\Local\Temp\7z.exe
7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3068

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic computersystem where name="YLFOGIOE" set AutomaticManagedPagefile=False
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
5⤵
- System Location Discovery: System Language Discovery
PID:1160

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1912

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 6
6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:224

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
6⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:4332

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\Music\rot.exe"
5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4664

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 18
6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4912

C:\Windows\SysWOW64\attrib.exe
"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4424

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2980

C:\Users\Admin\AppData\Local\Temp\ratt.exe
"ratt.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4748

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1516

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 6
5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3976

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
5⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:64

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 19 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 19 > nul && "C:\Users\Admin\Music\rot.exe"
4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1976

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 19
5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3996

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 19
5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1148

C:\Users\Admin\Music\rot.exe
"C:\Users\Admin\Music\rot.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ratt.exe.log

Filesize
1KB

MD5
9a2d0ce437d2445330f2646472703087

SHA1
33c83e484a15f35c2caa3af62d5da6b7713a20ae

SHA256
30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c

SHA512
a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
d5dcd47e59723e98205063a540321134

SHA1
67537b097ff378ee9136494468121afd0053a2c7

SHA256
c9d15972fe1e7f1cb9f54dddc6b3720e73e9b5cdfb9e92278dd541e7b945b191

SHA512
d22345c42bc1f25faca40b15089bed2f66c38ba9e38cd44fb9c7b7fdd87b3b9c54b52a22a254fb43c6f2cd6f31347f5c3e6babaa4dae66b9e12450678900064c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
e21bd24678ab2c70b165ec0d23574a50

SHA1
21663f952f5c4d7267e8427392c6cae51fdf59b2

SHA256
9ccffc3eebd9bb9e679650f37346f02d04e0702d2953f4b3e0fce65250ca91f5

SHA512
7afef22041f3c3b31c2b45cbee9dacebb899d5cbd5f48f0fe0562f8a9d8233c54f2d3bf5de2558c7d2f56dbe63936ab932b669d94b945ac43241249aee9d33b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
d59040ffc4797c1298ea497f0758c3a5

SHA1
8e639adf7289a66031d2db3e627836234f22481e

SHA256
8fef4b6aef3716171a017126dd53c0ef674865d16b169b06ef3c6bce78410d2c

SHA512
af0750abedb5c59582f17022a0ef37f90bce348311724009ca85e5adc113a0b8b668ae4854e3a28e91188b89388b7df8e0cd73262e2601cd8d188dbd9ee2d490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
64020330f7eff27208edc469e5e1f9a5

SHA1
8966eb154bd170450ac12bfaf5c68514933aec45

SHA256
87f7fe6377ec87ebd1cc38ccee030a3eb530b1163c6b5d7d8466ce718577f0bb

SHA512
7de232b27299cb97cb4a695b1dff27d928facfd422b2890c3b50190b403717396642850a31e2a0b806b5d4695a2f345bccc6412059765c1bf966294547745ca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
7cf0b6459b4d54914f7286636d2b96aa

SHA1
441624f296dcf8214945640adc2c241ca230685e

SHA256
f46cf0b3c6c26820886aea22b9676634156c3c22f5f0953cd4dcf37984b812ba

SHA512
45606e4e7827ad7708c27442dbe246a056e15372046e07b1a2fc6769fd409efcaf6ac0a84476d073b8c5c416b7f3e8c3db434aa0d57e7aa90d2ba79ca6d4d223

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4omiankp.vq4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
memory/1572-152-0x0000000006130000-0x000000000616C000-memory.dmp

Filesize
240KB

Download
memory/1572-149-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1572-151-0x0000000005CF0000-0x0000000005D02000-memory.dmp

Filesize
72KB

Download
memory/1712-105-0x0000000006A30000-0x0000000006A62000-memory.dmp

Filesize
200KB

Download
memory/1712-126-0x0000000007A00000-0x0000000007A08000-memory.dmp

Filesize
32KB

Download
memory/1712-123-0x00000000079B0000-0x00000000079BE000-memory.dmp

Filesize
56KB

Download
memory/1712-122-0x0000000007990000-0x00000000079A1000-memory.dmp

Filesize
68KB

Download
memory/1712-121-0x0000000007A30000-0x0000000007AC6000-memory.dmp

Filesize
600KB

Download
memory/1712-128-0x0000000008A10000-0x0000000008FB4000-memory.dmp

Filesize
5.6MB

Download
memory/1712-101-0x0000000005E00000-0x0000000006154000-memory.dmp

Filesize
3.3MB

Download
memory/1712-127-0x0000000007B40000-0x0000000007B62000-memory.dmp

Filesize
136KB

Download
memory/1712-103-0x0000000006530000-0x000000000657C000-memory.dmp

Filesize
304KB

Download
memory/1712-124-0x00000000079C0000-0x00000000079D4000-memory.dmp

Filesize
80KB

Download
memory/1712-125-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/1712-106-0x0000000070560000-0x00000000705AC000-memory.dmp

Filesize
304KB

Download
memory/1712-116-0x0000000006A70000-0x0000000006A8E000-memory.dmp

Filesize
120KB

Download
memory/1712-117-0x00000000076B0000-0x0000000007753000-memory.dmp

Filesize
652KB

Download
memory/1712-118-0x0000000007DE0000-0x000000000845A000-memory.dmp

Filesize
6.5MB

Download
memory/1712-119-0x00000000077A0000-0x00000000077BA000-memory.dmp

Filesize
104KB

Download
memory/1712-120-0x0000000007800000-0x000000000780A000-memory.dmp

Filesize
40KB

Download
memory/2060-146-0x0000000000380000-0x0000000000536000-memory.dmp

Filesize
1.7MB

Download
memory/2060-147-0x0000000006A60000-0x0000000006A7A000-memory.dmp

Filesize
104KB

Download
memory/2060-148-0x0000000006A90000-0x0000000006A96000-memory.dmp

Filesize
24KB

Download
memory/2784-135-0x0000000005350000-0x0000000005396000-memory.dmp

Filesize
280KB

Download
memory/2784-136-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/2784-44-0x00000000060D0000-0x0000000006424000-memory.dmp

Filesize
3.3MB

Download
memory/2784-134-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/2784-132-0x00000000053B0000-0x000000000544C000-memory.dmp

Filesize
624KB

Download
memory/2784-131-0x0000000000EF0000-0x00000000010A6000-memory.dmp

Filesize
1.7MB

Download
memory/3236-28-0x0000000006720000-0x000000000673E000-memory.dmp

Filesize
120KB

Download
memory/3236-17-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/3236-16-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/3236-29-0x0000000006760000-0x00000000067AC000-memory.dmp

Filesize
304KB

Download
memory/3236-27-0x0000000006370000-0x00000000066C4000-memory.dmp

Filesize
3.3MB

Download
memory/3236-15-0x0000000005740000-0x0000000005762000-memory.dmp

Filesize
136KB

Download
memory/3236-14-0x00000000058E0000-0x0000000005F08000-memory.dmp

Filesize
6.2MB

Download
memory/3236-13-0x0000000003160000-0x0000000003196000-memory.dmp

Filesize
216KB

Download
memory/4420-88-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4420-80-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4420-84-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/4748-138-0x00000000006B0000-0x0000000000866000-memory.dmp

Filesize
1.7MB

Download