quasar | 59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Size

348KB
MD5

e3227ee81215e58ad2b59b277ffb79f4
SHA1

cfc16846c11f280d907f151a3745827313e92fbf
SHA256

59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4
SHA512

b146155add08215e7376fe8ea2e8d8080467326de410eeee8feddcd27b5b821143d23f84d87d52f0c2e3601f9519ccd589e00249c008671f6572c348d09e248f
SSDEEP

6144:Aw6bPXhLApfpZUAlrmOW5bkjz3jnRBPtcW:xmhAp0Al8WjnRBP2W

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

myhost88.ddns.net:4782

Mutex

QSR_MUTEX_gBbXbVHlujwl4SvP3X

Attributes

encryption_key
7Bgb3YgUbXKS2un5vbeM
install_name
ms configs.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ms configs
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
	2	ip-api.com	Process not Found
	10	ip-api.com	Process not Found
	17	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/memory/592-1-0x0000000000280000-0x00000000002DE000-memory.dmp	family_quasar
behavioral1/memory/1728-13-0x00000000003F0000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/1612-23-0x0000000000160000-0x00000000001BE000-memory.dmp	family_quasar
behavioral1/memory/1884-42-0x0000000001110000-0x000000000116E000-memory.dmp	family_quasar
behavioral1/memory/1696-52-0x0000000001110000-0x000000000116E000-memory.dmp	family_quasar
behavioral1/memory/2304-71-0x00000000012C0000-0x000000000131E000-memory.dmp	family_quasar
behavioral1/memory/2760-81-0x00000000012C0000-0x000000000131E000-memory.dmp	family_quasar
behavioral1/memory/1620-91-0x0000000000090000-0x00000000000EE000-memory.dmp	family_quasar
behavioral1/memory/2808-101-0x0000000000D90000-0x0000000000DEE000-memory.dmp	family_quasar
behavioral1/memory/1132-111-0x0000000000340000-0x000000000039E000-memory.dmp	family_quasar
behavioral1/memory/912-121-0x0000000001150000-0x00000000011AE000-memory.dmp	family_quasar
behavioral1/memory/1892-131-0x0000000001310000-0x000000000136E000-memory.dmp	family_quasar

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
10	ip-api.com
17	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2868	PING.EXE
2388	PING.EXE
2204	PING.EXE
2080	PING.EXE
1052	PING.EXE
2004	PING.EXE
2608	PING.EXE
2268	PING.EXE
1252	PING.EXE
2236	PING.EXE
2756	PING.EXE
1944	PING.EXE
2308	PING.EXE
1184	PING.EXE
1092	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1052	PING.EXE
2004	PING.EXE
2308	PING.EXE
1184	PING.EXE
2868	PING.EXE
2388	PING.EXE
2608	PING.EXE
1092	PING.EXE
2080	PING.EXE
2236	PING.EXE
1944	PING.EXE
2268	PING.EXE
1252	PING.EXE
2204	PING.EXE
2756	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	592	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	1728	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	1612	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	1588	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	1884	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	1696	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2084	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2304	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2760	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	1620	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2808	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	1132	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	912	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	1892	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 1912	592	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	31
PID 592 wrote to memory of 1912	592	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	31
PID 592 wrote to memory of 1912	592	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	31
PID 592 wrote to memory of 1912	592	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	31
PID 1912 wrote to memory of 2892	1912	cmd.exe	33
PID 1912 wrote to memory of 2892	1912	cmd.exe	33
PID 1912 wrote to memory of 2892	1912	cmd.exe	33
PID 1912 wrote to memory of 2892	1912	cmd.exe	33
PID 1912 wrote to memory of 2868	1912	cmd.exe	34
PID 1912 wrote to memory of 2868	1912	cmd.exe	34
PID 1912 wrote to memory of 2868	1912	cmd.exe	34
PID 1912 wrote to memory of 2868	1912	cmd.exe	34
PID 1912 wrote to memory of 1728	1912	cmd.exe	36
PID 1912 wrote to memory of 1728	1912	cmd.exe	36
PID 1912 wrote to memory of 1728	1912	cmd.exe	36
PID 1912 wrote to memory of 1728	1912	cmd.exe	36
PID 1728 wrote to memory of 2156	1728	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	37
PID 1728 wrote to memory of 2156	1728	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	37
PID 1728 wrote to memory of 2156	1728	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	37
PID 1728 wrote to memory of 2156	1728	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	37
PID 2156 wrote to memory of 2152	2156	cmd.exe	39
PID 2156 wrote to memory of 2152	2156	cmd.exe	39
PID 2156 wrote to memory of 2152	2156	cmd.exe	39
PID 2156 wrote to memory of 2152	2156	cmd.exe	39
PID 2156 wrote to memory of 2388	2156	cmd.exe	40
PID 2156 wrote to memory of 2388	2156	cmd.exe	40
PID 2156 wrote to memory of 2388	2156	cmd.exe	40
PID 2156 wrote to memory of 2388	2156	cmd.exe	40
PID 2156 wrote to memory of 1612	2156	cmd.exe	41
PID 2156 wrote to memory of 1612	2156	cmd.exe	41
PID 2156 wrote to memory of 1612	2156	cmd.exe	41
PID 2156 wrote to memory of 1612	2156	cmd.exe	41
PID 1612 wrote to memory of 1880	1612	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	42
PID 1612 wrote to memory of 1880	1612	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	42
PID 1612 wrote to memory of 1880	1612	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	42
PID 1612 wrote to memory of 1880	1612	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	42
PID 1880 wrote to memory of 1192	1880	cmd.exe	44
PID 1880 wrote to memory of 1192	1880	cmd.exe	44
PID 1880 wrote to memory of 1192	1880	cmd.exe	44
PID 1880 wrote to memory of 1192	1880	cmd.exe	44
PID 1880 wrote to memory of 1944	1880	cmd.exe	45
PID 1880 wrote to memory of 1944	1880	cmd.exe	45
PID 1880 wrote to memory of 1944	1880	cmd.exe	45
PID 1880 wrote to memory of 1944	1880	cmd.exe	45
PID 1880 wrote to memory of 1588	1880	cmd.exe	46
PID 1880 wrote to memory of 1588	1880	cmd.exe	46
PID 1880 wrote to memory of 1588	1880	cmd.exe	46
PID 1880 wrote to memory of 1588	1880	cmd.exe	46
PID 1588 wrote to memory of 380	1588	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	47
PID 1588 wrote to memory of 380	1588	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	47
PID 1588 wrote to memory of 380	1588	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	47
PID 1588 wrote to memory of 380	1588	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	47
PID 380 wrote to memory of 2184	380	cmd.exe	49
PID 380 wrote to memory of 2184	380	cmd.exe	49
PID 380 wrote to memory of 2184	380	cmd.exe	49
PID 380 wrote to memory of 2184	380	cmd.exe	49
PID 380 wrote to memory of 2268	380	cmd.exe	50
PID 380 wrote to memory of 2268	380	cmd.exe	50
PID 380 wrote to memory of 2268	380	cmd.exe	50
PID 380 wrote to memory of 2268	380	cmd.exe	50
PID 380 wrote to memory of 1884	380	cmd.exe	51
PID 380 wrote to memory of 1884	380	cmd.exe	51
PID 380 wrote to memory of 1884	380	cmd.exe	51
PID 380 wrote to memory of 1884	380	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
"C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\GFEdbXmySLhs.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2868
- - C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
    "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ticUA1hyUoPa.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9SaWte4LGNZJ.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\53GS2hDWAtV2.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QJB1JHLH8DFa.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VRdFo1QBlJT1.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JxSJkjq8LCGR.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIElEei8dA9H.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\z0O3AYuBtuc6.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\p1MvsSwD9lIR.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        21⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sfeLbzP15tdx.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        23⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4NodXtb5Le6n.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:340
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Yhb51oT5dczd.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        27⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zXEjkXi0EbzZ.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bxNAg9FOz4wm.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4NodXtb5Le6n.bat

Filesize
261B

MD5
a7ee2c3800c4ed7c49912681f1801fd7

SHA1
7797bbc55e12524ffafb9f8adad2977a99d6428f

SHA256
7dfd91a534a8045105137ba6d3ca1333f0853ba86de75495723fc5411565a61d

SHA512
a67d4d3278a5df0dd1430f148929dff19273f4877f59f2205ab5864aa5f1e95b5fea559ee0098d653efe07d16371886995174a495a55020a021f29f83a048803

Download Submit
C:\Users\Admin\AppData\Local\Temp\53GS2hDWAtV2.bat

Filesize
261B

MD5
097189ecf493e2404482351797c3a308

SHA1
c8a8601e491cf8cf3c2f2223ce355858c318052e

SHA256
45bcc268ab662f48135d6b1e1542a11ec1dc2ce7ce7fd2d043f50444b38ac050

SHA512
15e24f84e30da4c197690d5ccf6bb17c7dc481ddae8d7eedeb0a2655cebdfbdc2e69cdd0f9aee6feccad39b775fcffc17ce00287ed0d76f2acc40cb707c2cd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9SaWte4LGNZJ.bat

Filesize
261B

MD5
db4bd2a9163b70aff58dedd4146ce6e1

SHA1
48624bef8ec8c411bda24a8b091b791dec49f9a0

SHA256
27e30538e4052b139323d4f1cf603a37a34db30f0538baec983f8b4e05117317

SHA512
6234efccbc2c6ac316f7799e144afb18a0e7b4c6b75d6f13379ad70810e6f4683ee4b4df9386db94df7b627d7dbfc9afa40db3ef77d357e89bcc142ded0336aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\GFEdbXmySLhs.bat

Filesize
261B

MD5
8d50bd213498806ee6984475a1173422

SHA1
2ea273144037bf7c5896be0aa0ddfdc3ad62b0a1

SHA256
d01715efcef798bf8a293a22bb304d55af5258abd47bf718106b92b0ce760abe

SHA512
b715e54654e018f134189efc2faed6cb3db077c9b86dc3963eafd4d108527fd6cb95f319dd498cce5fc0a41662cd451a255e62b5ab18939cfb87536ecd50ed3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JxSJkjq8LCGR.bat

Filesize
261B

MD5
38deb8585ab8d67844ca8f2e6a579b66

SHA1
38673b2f599154966046b0309504cfe365643a0e

SHA256
0af7f289b1c3aac2f38b6246be46959d3176488ce978fa03f0b9a12cfd5d5f66

SHA512
310cbf03e8f59cfd87fc02c0bc17f8225714dd76ecb583cde71a8683937e2c16476150ecb0d14a5cfee220fad53249e3905c374803875703a311f6d2daffd60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QJB1JHLH8DFa.bat

Filesize
261B

MD5
b1e758cb3fd4a495b4dea080e197282c

SHA1
12129b5d111d6b6128db086d6699b0ba1ab3bf08

SHA256
aa8e6537a28e84cf041b1ad502a95928e0f044b19d02cf9efa92f9b6fa47668e

SHA512
f01d4ea47741392c507c12188a53929c0ae7bf784a28f4efbfd6bfb5c56e87baedd71258eec143bf65af7a2fbc7e15c2e6ca1c00da4007e3c4f0888e1f346587

Download Submit
C:\Users\Admin\AppData\Local\Temp\VRdFo1QBlJT1.bat

Filesize
261B

MD5
f4003e48ed25f4e8df4625148184aac3

SHA1
96e03bf1a3d3add6c79c56acb4869fc0339e3720

SHA256
1f81754221e877b793d6b2fba11714eadb867c6631f6a04791272e693b374f8c

SHA512
7988a0b771cb59ff279ef6ff311968165e82ba996a386474f3038df71019d2f2baafd223da745775a9ae676ab9123dd1c3c932bdf6b001673d955ec06c86de40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yhb51oT5dczd.bat

Filesize
261B

MD5
b953ceef551b7a243347bf2b56ed175a

SHA1
774da3000a72aedb0df10d9ed877ae579d3018a1

SHA256
bfdd9b7b2b701fff2432cd30622cf2df611737aded31d2bb1cbb28aca8d59b76

SHA512
725751a8b487802e0cf13dbbb94c1e5333eb9daade66c8b4e5bc46bf5ec5abfb28a6950232f358b86c052975e251c7f2e1f6df85149bc617321ac82fc867e5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIElEei8dA9H.bat

Filesize
261B

MD5
ebfda402e573ed04c42b2bba122ee691

SHA1
ec955da0e342e61b1b90bf079b797e2ec53c66c7

SHA256
ff73a372254593e07df761d3f27db38936b357b0cab9b1d483091fee19ad6403

SHA512
9070e7d7f988d4d317dc2f7951254ae40f635b615164c7bf0413d8643641a123a4d9fad0de19db36a6abef9cb9ed98477a499eb48e38b8d463392fe0ba33655c

Download Submit
C:\Users\Admin\AppData\Local\Temp\p1MvsSwD9lIR.bat

Filesize
261B

MD5
26138f0e491afede57af3126be0221e6

SHA1
a6d40d4b3afc050294160edde574bd6b99360a5c

SHA256
27f5a6d32a5e3452482aab3e1613a03ad9208273eeb2ae3b1cc3d92a9872080c

SHA512
0c7e5b99821a2fe02c3f34ce2bcb41b1d458753092df185734f2b207badb2c4cd63cfeff900ad94b7d838607889ba51bf55f727bee5229261ca8a29fe3b9d349

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfeLbzP15tdx.bat

Filesize
261B

MD5
800cb9b521990949eae8f7f2f1c59184

SHA1
867072b122318e86f7465c254c8d1232b54b50b5

SHA256
9e9fa48b7bd3bba1c046dc4bc603711762f6848312b569785fb3a511d45c2030

SHA512
bcfea50717c26044952b4292b92ef67c6a805af4b70da6d7e26badf5c8b8fbefb8c83514fe644f8be93a7e18469e92c1eb5dc323b8068033cb1037e40edfc425

Download Submit
C:\Users\Admin\AppData\Local\Temp\ticUA1hyUoPa.bat

Filesize
261B

MD5
8ae3538d6137a2e24d8bd11747139bdf

SHA1
2bbfbc6238e03e5caf706d43e3cec9b0d5307e46

SHA256
295763afd62819fd5d6eec95de69eaee2405706fb32d7825775516c39bb97e48

SHA512
2c8e16ff5c16fd256e848611c10400f6a960305e2a3ac5951dbc138ab23310ce0ee04d024b81789fa8ce49f09e7dfc3a00be9e3654ae93ad786183bf754b4223

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0O3AYuBtuc6.bat

Filesize
261B

MD5
d981ef0f6e41467a20a61da24d26c8fb

SHA1
8ae12b74a89e91a82b7771f717babbbd9973dc2e

SHA256
26f36dd59d6a90123e216e840605ef8f62b7f3f1528e30b981f1a27625fe78a3

SHA512
01007c8dac8dcdcd66b42d6f91ff038374e4bb58e9abb9bf4a6c2cdbd7deb07527a5969005d673c90a7fd49105c8ff0702b560917fd670eb24bb065296c5bf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXEjkXi0EbzZ.bat

Filesize
261B

MD5
1d0caa8725a23121bd608cc397ee1f96

SHA1
26586377d3b8e89fe6c3bcd6fc40d7567a192427

SHA256
d9fa50d56389f80c52a6b184b8e8c34715f4c191c79a3b5e311b36fecfe7328c

SHA512
3e7c5d40269dba7764b4ebca4a871de6d3764475f8d4ccaeb2ec2875b46f01b41952534ef0029677badcd8fdc54d5ecdd3dfc340b5b791f4b13e300ea35d2c0d

Download Submit
memory/592-0-0x00000000740BE000-0x00000000740BF000-memory.dmp

Filesize
4KB

Download
memory/592-11-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/592-2-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/592-1-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/912-121-0x0000000001150000-0x00000000011AE000-memory.dmp

Filesize
376KB

Download
memory/1132-111-0x0000000000340000-0x000000000039E000-memory.dmp

Filesize
376KB

Download
memory/1612-23-0x0000000000160000-0x00000000001BE000-memory.dmp

Filesize
376KB

Download
memory/1620-91-0x0000000000090000-0x00000000000EE000-memory.dmp

Filesize
376KB

Download
memory/1696-52-0x0000000001110000-0x000000000116E000-memory.dmp

Filesize
376KB

Download
memory/1728-13-0x00000000003F0000-0x000000000044E000-memory.dmp

Filesize
376KB

Download
memory/1732-143-0x0000000072DB0000-0x000000007349E000-memory.dmp

Filesize
6.9MB

Download
memory/1884-42-0x0000000001110000-0x000000000116E000-memory.dmp

Filesize
376KB

Download
memory/1892-131-0x0000000001310000-0x000000000136E000-memory.dmp

Filesize
376KB

Download
memory/2304-71-0x00000000012C0000-0x000000000131E000-memory.dmp

Filesize
376KB

Download
memory/2760-81-0x00000000012C0000-0x000000000131E000-memory.dmp

Filesize
376KB

Download
memory/2808-101-0x0000000000D90000-0x0000000000DEE000-memory.dmp

Filesize
376KB

Download