quasar | 59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Size

348KB
MD5

e3227ee81215e58ad2b59b277ffb79f4
SHA1

cfc16846c11f280d907f151a3745827313e92fbf
SHA256

59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4
SHA512

b146155add08215e7376fe8ea2e8d8080467326de410eeee8feddcd27b5b821143d23f84d87d52f0c2e3601f9519ccd589e00249c008671f6572c348d09e248f
SSDEEP

6144:Aw6bPXhLApfpZUAlrmOW5bkjz3jnRBPtcW:xmhAp0Al8WjnRBP2W

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

myhost88.ddns.net:4782

Mutex

QSR_MUTEX_gBbXbVHlujwl4SvP3X

Attributes

encryption_key
7Bgb3YgUbXKS2un5vbeM
install_name
ms configs.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ms configs
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	17	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
	2	ip-api.com	Process not Found
	10	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 15 IoCs

resource	yara_rule
behavioral1/memory/1672-1-0x0000000000BA0000-0x0000000000BFE000-memory.dmp	family_quasar
behavioral1/memory/2516-13-0x00000000001B0000-0x000000000020E000-memory.dmp	family_quasar
behavioral1/memory/868-23-0x0000000000B90000-0x0000000000BEE000-memory.dmp	family_quasar
behavioral1/memory/2044-33-0x00000000012A0000-0x00000000012FE000-memory.dmp	family_quasar
behavioral1/memory/2400-43-0x0000000001390000-0x00000000013EE000-memory.dmp	family_quasar
behavioral1/memory/1244-53-0x0000000000320000-0x000000000037E000-memory.dmp	family_quasar
behavioral1/memory/2444-63-0x0000000000360000-0x00000000003BE000-memory.dmp	family_quasar
behavioral1/memory/2140-73-0x00000000000F0000-0x000000000014E000-memory.dmp	family_quasar
behavioral1/memory/2988-83-0x0000000000010000-0x000000000006E000-memory.dmp	family_quasar
behavioral1/memory/2972-93-0x0000000000A80000-0x0000000000ADE000-memory.dmp	family_quasar
behavioral1/memory/852-103-0x0000000000AB0000-0x0000000000B0E000-memory.dmp	family_quasar
behavioral1/memory/2948-113-0x0000000000340000-0x000000000039E000-memory.dmp	family_quasar
behavioral1/memory/1636-123-0x00000000012D0000-0x000000000132E000-memory.dmp	family_quasar
behavioral1/memory/2980-133-0x00000000012D0000-0x000000000132E000-memory.dmp	family_quasar
behavioral1/memory/3056-143-0x0000000000340000-0x000000000039E000-memory.dmp	family_quasar

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
10	ip-api.com
17	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1532	PING.EXE
1072	PING.EXE
1640	PING.EXE
1920	PING.EXE
2368	PING.EXE
2500	PING.EXE
300	PING.EXE
1156	PING.EXE
2352	PING.EXE
924	PING.EXE
2208	PING.EXE
2300	PING.EXE
2716	PING.EXE
2524	PING.EXE
812	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1920	PING.EXE
1072	PING.EXE
1156	PING.EXE
812	PING.EXE
2300	PING.EXE
2716	PING.EXE
2524	PING.EXE
924	PING.EXE
300	PING.EXE
2352	PING.EXE
2500	PING.EXE
1640	PING.EXE
2208	PING.EXE
1532	PING.EXE
2368	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2516	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	868	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2044	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2400	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	1244	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2444	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2140	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2988	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2972	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	852	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2948	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	1636	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2980	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	3056	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2616	1672	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	29
PID 1672 wrote to memory of 2616	1672	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	29
PID 1672 wrote to memory of 2616	1672	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	29
PID 1672 wrote to memory of 2616	1672	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	29
PID 2616 wrote to memory of 2872	2616	cmd.exe	31
PID 2616 wrote to memory of 2872	2616	cmd.exe	31
PID 2616 wrote to memory of 2872	2616	cmd.exe	31
PID 2616 wrote to memory of 2872	2616	cmd.exe	31
PID 2616 wrote to memory of 2524	2616	cmd.exe	32
PID 2616 wrote to memory of 2524	2616	cmd.exe	32
PID 2616 wrote to memory of 2524	2616	cmd.exe	32
PID 2616 wrote to memory of 2524	2616	cmd.exe	32
PID 2616 wrote to memory of 2516	2616	cmd.exe	33
PID 2616 wrote to memory of 2516	2616	cmd.exe	33
PID 2616 wrote to memory of 2516	2616	cmd.exe	33
PID 2616 wrote to memory of 2516	2616	cmd.exe	33
PID 2516 wrote to memory of 2412	2516	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	34
PID 2516 wrote to memory of 2412	2516	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	34
PID 2516 wrote to memory of 2412	2516	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	34
PID 2516 wrote to memory of 2412	2516	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	34
PID 2412 wrote to memory of 560	2412	cmd.exe	36
PID 2412 wrote to memory of 560	2412	cmd.exe	36
PID 2412 wrote to memory of 560	2412	cmd.exe	36
PID 2412 wrote to memory of 560	2412	cmd.exe	36
PID 2412 wrote to memory of 1156	2412	cmd.exe	37
PID 2412 wrote to memory of 1156	2412	cmd.exe	37
PID 2412 wrote to memory of 1156	2412	cmd.exe	37
PID 2412 wrote to memory of 1156	2412	cmd.exe	37
PID 2412 wrote to memory of 868	2412	cmd.exe	38
PID 2412 wrote to memory of 868	2412	cmd.exe	38
PID 2412 wrote to memory of 868	2412	cmd.exe	38
PID 2412 wrote to memory of 868	2412	cmd.exe	38
PID 868 wrote to memory of 3040	868	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	39
PID 868 wrote to memory of 3040	868	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	39
PID 868 wrote to memory of 3040	868	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	39
PID 868 wrote to memory of 3040	868	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	39
PID 3040 wrote to memory of 2752	3040	cmd.exe	41
PID 3040 wrote to memory of 2752	3040	cmd.exe	41
PID 3040 wrote to memory of 2752	3040	cmd.exe	41
PID 3040 wrote to memory of 2752	3040	cmd.exe	41
PID 3040 wrote to memory of 2352	3040	cmd.exe	42
PID 3040 wrote to memory of 2352	3040	cmd.exe	42
PID 3040 wrote to memory of 2352	3040	cmd.exe	42
PID 3040 wrote to memory of 2352	3040	cmd.exe	42
PID 3040 wrote to memory of 2044	3040	cmd.exe	45
PID 3040 wrote to memory of 2044	3040	cmd.exe	45
PID 3040 wrote to memory of 2044	3040	cmd.exe	45
PID 3040 wrote to memory of 2044	3040	cmd.exe	45
PID 2044 wrote to memory of 2032	2044	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	46
PID 2044 wrote to memory of 2032	2044	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	46
PID 2044 wrote to memory of 2032	2044	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	46
PID 2044 wrote to memory of 2032	2044	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	46
PID 2032 wrote to memory of 2096	2032	cmd.exe	48
PID 2032 wrote to memory of 2096	2032	cmd.exe	48
PID 2032 wrote to memory of 2096	2032	cmd.exe	48
PID 2032 wrote to memory of 2096	2032	cmd.exe	48
PID 2032 wrote to memory of 1920	2032	cmd.exe	49
PID 2032 wrote to memory of 1920	2032	cmd.exe	49
PID 2032 wrote to memory of 1920	2032	cmd.exe	49
PID 2032 wrote to memory of 1920	2032	cmd.exe	49
PID 2032 wrote to memory of 2400	2032	cmd.exe	50
PID 2032 wrote to memory of 2400	2032	cmd.exe	50
PID 2032 wrote to memory of 2400	2032	cmd.exe	50
PID 2032 wrote to memory of 2400	2032	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
"C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\rF6Ca9gFFPkK.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2524
- - C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
    "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\WE9yAAAT6jF2.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:560
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1156
    - - C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eOPvSeQgFdAN.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sbi29kEpBLW6.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NzF0WsQauC5W.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xtjWSwPkpoEk.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PjMAAfffQoEg.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bRWS6YrigZhV.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rBUTpBD5R7sE.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zsp2yKGpB4d9.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        21⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NgewtJLQGGxB.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        23⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ya8SpNKaCs6P.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IO9dxcFslGhX.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        27⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ehpi7OjPAU7e.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        29⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YjbKc3vkw9Vt.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IO9dxcFslGhX.bat

Filesize
261B

MD5
36bf6c15a8468192f628b8019a0f2b7a

SHA1
2ab5b21b33a59dedc5a91434d738b2bded6de99a

SHA256
d7493391f696312ee69805c38b5b046a7e4c5808b28b965641ed192bc24f452b

SHA512
00bc6019f597f03a2862f34cf81002f582a37273346b12c29cf6f90a08340d548fc6b24886b1477cefc8ad27c09b0f874dd801d53f7de7ecd4d70c4b612035e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgewtJLQGGxB.bat

Filesize
261B

MD5
04d4fb69b504bcadd0fc44f4b26525dd

SHA1
3b8e85d7b98088de3643d865f243fb1e2acf51f7

SHA256
174e2acdd53c0abb738dfadea8f4aa642f8bd4bf30a558151fd37485d4df22d5

SHA512
5e8d0eb211434e09c754298c55842133e7f7fae85ef9436d299194a3701e3f0fbd284797512aebc06a28ce0e127725bf8260ff958039e2a8401d292976d1f4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NzF0WsQauC5W.bat

Filesize
261B

MD5
fe5fdd1f56550a5a95df3a9f30f84ac2

SHA1
9a60f8536d6e34b1c5104f2a29ec81b89a76e79d

SHA256
034c11e6b13d42d336741b8d13772e1f7b2c3392bb6877f5397ba7256d32954d

SHA512
1198e3344a66293746874faa6e6e8b55c06c8f96e78208f6ae49337d6812400dac42eb0c1731121c95b9b27685d5205896f197f32fc6a207a7a4246500214f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PjMAAfffQoEg.bat

Filesize
261B

MD5
14e87fd997c2214a93c99d82595c457a

SHA1
8a30e39fe1209041f11cb2a8a8499e222bd11baf

SHA256
8dbe8e2acc30bbb3d27fb850ff61e335e20af2d960ed435db0673f896444e114

SHA512
071bb420e285f632260e43b5f7cf0d237d2191037a18e604dff295ce9e81a968ad00d12e37a7d40d750956622564e36fb3f29370e1094ddeaa3ff7fe34f3db60

Download Submit
C:\Users\Admin\AppData\Local\Temp\WE9yAAAT6jF2.bat

Filesize
261B

MD5
443ec329d80efbad7d07f5c001bc1b6e

SHA1
700b0d0c94379d5c42be21812b28bfc14bd71117

SHA256
9aee0b8d8f16a56882839d77a392bca8b5e88dca641cf665631c377ef0aa017f

SHA512
7ff4a8dd11fa47917637a3a561cb475b178e505bf007b3e89837b7b82694afc1cd4ceaabaac7de4216534cdf91ce0da0c204c5ba7f077e8286ab343d99c097b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YjbKc3vkw9Vt.bat

Filesize
261B

MD5
8be77c81929c2f997f2d2fc4fd8dd45a

SHA1
0bbc78c86b03925d8e3a2a23b579284c4c87130a

SHA256
fd3dc99c6594e2c02fb506972984bbd3b122aebac792d15a1b4e901015b4cf6c

SHA512
3337ac5393a431a9cfae9e547fd8cef707b8bd925a0830253b71420cab1453f243f5f841b57b04617dfde8822a1577fa48a5715109f427e6f5deab64d068f919

Download Submit
C:\Users\Admin\AppData\Local\Temp\bRWS6YrigZhV.bat

Filesize
261B

MD5
bb05e61ed7447a4a8643c6d5481c4317

SHA1
85ac9c7b7809d9a0bb4c213dfef6eae7bc48a46e

SHA256
ec198da3bb5752922211ade20bfe7c01b5903bf4eacaa43d7f5ad8e2a1fbbb52

SHA512
69734ddd8709f45f7fef2d9507b76d343a2317ee9ba26a080a2223666c61d23ac6a38a424081a77ee9ef932328d77c2e7eefb42a1e90031818d6d300c187f13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eOPvSeQgFdAN.bat

Filesize
261B

MD5
d8bd057a3078d174f78d0119476ee647

SHA1
3eb724015d455065fe617b86993e5617880cf55d

SHA256
8f374ce9a4c118bc7e981bd1bed97e01ae9733b9ee54eeb243eb2be1db55e459

SHA512
aa50d25f18da721bdf0faeaef8918d408066512b91494fdd2acf929b80dd06ab9cd8f4bfdaf7046f7a278c8a17ee52ad8abe97f35a1a079848a392e2cb073464

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehpi7OjPAU7e.bat

Filesize
261B

MD5
716f9eefcdd2cf2d69319e79dd24a835

SHA1
c70f5ed1bfe71bd5019c36783240e237080de8b6

SHA256
43ee8259a664ce73d061c17051ed0f363e79132a3373563f171c587bd090af71

SHA512
f5b8c65885a55799b81828235573293f35c3024a2bcc6448aaf9c578b8369e03f7871992f7fce6354df7993481bb1d869bd532e96c104c7a05029e4b84218408

Download Submit
C:\Users\Admin\AppData\Local\Temp\rBUTpBD5R7sE.bat

Filesize
261B

MD5
b160c97fe3ae12c75d0a7ddb33778778

SHA1
6d5fbe842a92eaf9d51ddf4bfb9f5179c4f8b491

SHA256
c02a3a3b4ff68892f1028270d06102ed97fc60a855c66f4736c45e98f123f4d8

SHA512
50f52c1708784127f1553c6df8ff9580f0edc15c385d3f8f7521ad1a7c578af510d6aa1f25ef206f6d115a3ce27ad2e4666dedd189f8f06b70cb8b914b878cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rF6Ca9gFFPkK.bat

Filesize
261B

MD5
7e738f159ef2e2aeab8d6f30580ca286

SHA1
03c724170b2698cc4de4494f34c11e397976a853

SHA256
82620ecc89053e5d9b3ccb6b8cf849aba812211da4779bc9299144d8f66d2892

SHA512
4c199f6920cf3b7a620a5f630e5295a2f3058a28543d61b97662c69f0ca26b59e415a954aa5eb2b68fc00d5c5b0caa29f6f4b0dc9f5d702e4548bf95dd90a4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbi29kEpBLW6.bat

Filesize
261B

MD5
7616fd542852fab9352c44454268f1f3

SHA1
aac10702d090bf55f8a59528c814142d3fa974ec

SHA256
29ba25273c49f481b0f7a6054875112525549bb3f63576ec40b85f6a6694faba

SHA512
45cf4e56b74e856f96cacddfa96850b7fb616d6eec863535629a8d27c5f5d65feb7424ad013a0e076665e37769ba5cd65ec874c730e4b5489ab98fe75894a881

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtjWSwPkpoEk.bat

Filesize
261B

MD5
b5b30a1bf688f07cb66c5fb950748ae5

SHA1
d353d6f65ef03083ab74d441eec4257f711b73fc

SHA256
8623346738be8197340a01a24b0fbe69335a4f97a646695c1d741d86f4331e67

SHA512
18a4fade3a0906e52f0f6931ec27925cc04d651f506a039b46ea125cc3138e478bf150c160db2827a4196ce9947d646459b2fcb155a49ff731d86977eda16a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ya8SpNKaCs6P.bat

Filesize
261B

MD5
27048511d13ffea12c1b40a2e425cc9f

SHA1
e5f4c778f352a502d356e85c60b1a00355c69a3b

SHA256
4f6525b8cbbcbaaad582ad2eb760a3381aff32bf17b93634c6b09428e38b9455

SHA512
903cdf92331ca772549d3b841f5919d9a90bbada09bc69e0eafbebb9c53cb6b3b4a9e968dee1332ff40985f8862e7ffe09da5e6410b0f0cdbf7b8de4e5dd8dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsp2yKGpB4d9.bat

Filesize
261B

MD5
fa83b6cacfe7301c7ee3c86e374583d5

SHA1
09c871b024f50be30c5a1ea791c630ebb40e176a

SHA256
e60327f2fa42e9a623bae92f21fa2c2c4f69692db198cfbfb2df1abab9b9393a

SHA512
fee54e4c19e293791b3bc3fe1854f7db17c6cf25bf8afdfc704b150a7e88e676fb67f7a8c2ca324fe10317779161fa19c7fb1c31c52fe320d640c94fc9f1ac78

Download Submit
memory/852-103-0x0000000000AB0000-0x0000000000B0E000-memory.dmp

Filesize
376KB

Download
memory/868-23-0x0000000000B90000-0x0000000000BEE000-memory.dmp

Filesize
376KB

Download
memory/1244-53-0x0000000000320000-0x000000000037E000-memory.dmp

Filesize
376KB

Download
memory/1636-123-0x00000000012D0000-0x000000000132E000-memory.dmp

Filesize
376KB

Download
memory/1672-1-0x0000000000BA0000-0x0000000000BFE000-memory.dmp

Filesize
376KB

Download
memory/1672-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/1672-12-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1672-2-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-33-0x00000000012A0000-0x00000000012FE000-memory.dmp

Filesize
376KB

Download
memory/2140-73-0x00000000000F0000-0x000000000014E000-memory.dmp

Filesize
376KB

Download
memory/2400-43-0x0000000001390000-0x00000000013EE000-memory.dmp

Filesize
376KB

Download
memory/2444-63-0x0000000000360000-0x00000000003BE000-memory.dmp

Filesize
376KB

Download
memory/2516-13-0x00000000001B0000-0x000000000020E000-memory.dmp

Filesize
376KB

Download
memory/2948-113-0x0000000000340000-0x000000000039E000-memory.dmp

Filesize
376KB

Download
memory/2972-93-0x0000000000A80000-0x0000000000ADE000-memory.dmp

Filesize
376KB

Download
memory/2980-133-0x00000000012D0000-0x000000000132E000-memory.dmp

Filesize
376KB

Download
memory/2988-83-0x0000000000010000-0x000000000006E000-memory.dmp

Filesize
376KB

Download
memory/3056-143-0x0000000000340000-0x000000000039E000-memory.dmp

Filesize
376KB

Download