asyncrat | 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe
Size

39.9MB
MD5

e1a72f7e4426c8d5e849459fa7c7e476
SHA1

e1101a053ebe7cf5dc44f4f4ea787be113cae10f
SHA256

9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece
SHA512

0a2830e2f9e1872a98996f4221f1e81a33e8927e087397e7b3342fe79333974d030d8ff4176746c9cfd78eeb382d46a88023709c2e003b6a1ba00d883ee4426f
SSDEEP

786432:sxGPxJDr/A/brZCaMhEDL/BpYE0dkt3ZL3PDnsilllqs7GIKScPml8tBW:oGJJDrYPZCaEWLxVfDnplllpzMW

Score

10^/10

asyncrat quasar xworm default office04 slave execution rat spyware trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

best-bird.gl.at.ply.gg:27196

super-nearest.gl.at.ply.gg:17835

wiz.bounceme.net:6000

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

history-foo.gl.at.ply.gg:42349

Mutex

2beddbf7-c691-4058-94c7-f54389b4a581

Attributes

encryption_key
CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
SubDir

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
ql4fQ8TV9ZFP9vRX2myA
install_name
$sxr~Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$77STARTUP~MSF
subdirectory
$sxr~SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mshta.exe	family_xworm
behavioral2/memory/2588-32-0x0000000000D30000-0x0000000000D48000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\svchost.exe	family_xworm
behavioral2/memory/4792-56-0x00000000004B0000-0x00000000004CA000-memory.dmp	family_xworm
behavioral2/memory/2588-181-0x000000001DEA0000-0x000000001DEAE000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hat.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\Client-built.exe	family_quasar
behavioral2/memory/4420-61-0x0000000000A90000-0x0000000000AFC000-memory.dmp	family_quasar
behavioral2/memory/4888-62-0x0000000000DC0000-0x00000000010E4000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Async RAT payload 1 IoCs
rat

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\ONPE.exe family_asyncrat

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ONPE.exe	family_asyncrat

Detects Windows executables referencing non-Windows User-Agents 9 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hat.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Users\Admin\AppData\Local\Temp\mshta.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2588-32-0x0000000000D30000-0x0000000000D48000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Users\Admin\AppData\Local\Temp\svchost.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4792-56-0x00000000004B0000-0x00000000004CA000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Users\Admin\AppData\Local\Temp\Client-built.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4420-61-0x0000000000A90000-0x0000000000AFC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4888-62-0x0000000000DC0000-0x00000000010E4000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2588-181-0x000000001DEA0000-0x000000001DEAE000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Client-built.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4888-62-0x0000000000DC0000-0x00000000010E4000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables attemping to enumerate video devices using WMI 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ONPE.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral2/memory/3968-45-0x0000000000A10000-0x0000000000A26000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Detects executables containing common artifacts observed in infostealers 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Client-built.exe	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral2/memory/4888-62-0x0000000000DC0000-0x00000000010E4000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer

Detects executables containing the string DcRatBy 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ONPE.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy
behavioral2/memory/3968-45-0x0000000000A10000-0x0000000000A26000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DcRatBy

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

804 powershell.exe
2764 powershell.exe
3628 powershell.exe
1452 powershell.exe

pid	process
804	powershell.exe
2764	powershell.exe
3628	powershell.exe
1452	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 6 IoCs

Processes:

hat.exemshta.exeONPE.exesvchost.exeClient-built.exeindex.exe

pid process

4420 hat.exe
2588 mshta.exe
3968 ONPE.exe
4792 svchost.exe
4888 Client-built.exe
2068 index.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4568 taskkill.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2044 schtasks.exe

pid	process
4420	hat.exe
2588	mshta.exe
3968	ONPE.exe
4792	svchost.exe
4888	Client-built.exe
2068	index.exe

flow	ioc
17	ip-api.com

pid	process
4568	taskkill.exe

pid	process
2044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemshta.exesvchost.exe

pid	process
1720	powershell.exe
1720	powershell.exe
1720	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
2764	powershell.exe
2764	powershell.exe
1540	powershell.exe
1540	powershell.exe
2764	powershell.exe
1540	powershell.exe
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe
1452	powershell.exe
1452	powershell.exe
1452	powershell.exe
2588	mshta.exe
2588	mshta.exe
4792	svchost.exe
4792	svchost.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

Client-built.exemshta.exeONPE.exesvchost.exehat.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exepowershell.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4888	Client-built.exe
Token: SeDebugPrivilege	2588	mshta.exe
Token: SeDebugPrivilege	3968	ONPE.exe
Token: SeDebugPrivilege	4792	svchost.exe
Token: SeDebugPrivilege	4420	hat.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeIncreaseQuotaPrivilege	3348	WMIC.exe
Token: SeSecurityPrivilege	3348	WMIC.exe
Token: SeTakeOwnershipPrivilege	3348	WMIC.exe
Token: SeLoadDriverPrivilege	3348	WMIC.exe
Token: SeSystemProfilePrivilege	3348	WMIC.exe
Token: SeSystemtimePrivilege	3348	WMIC.exe
Token: SeProfSingleProcessPrivilege	3348	WMIC.exe
Token: SeIncBasePriorityPrivilege	3348	WMIC.exe
Token: SeCreatePagefilePrivilege	3348	WMIC.exe
Token: SeBackupPrivilege	3348	WMIC.exe
Token: SeRestorePrivilege	3348	WMIC.exe
Token: SeShutdownPrivilege	3348	WMIC.exe
Token: SeDebugPrivilege	3348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3348	WMIC.exe
Token: SeRemoteShutdownPrivilege	3348	WMIC.exe
Token: SeUndockPrivilege	3348	WMIC.exe
Token: SeManageVolumePrivilege	3348	WMIC.exe
Token: 33	3348	WMIC.exe
Token: 34	3348	WMIC.exe
Token: 35	3348	WMIC.exe
Token: 36	3348	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3348	WMIC.exe
Token: SeSecurityPrivilege	3348	WMIC.exe
Token: SeTakeOwnershipPrivilege	3348	WMIC.exe
Token: SeLoadDriverPrivilege	3348	WMIC.exe
Token: SeSystemProfilePrivilege	3348	WMIC.exe
Token: SeSystemtimePrivilege	3348	WMIC.exe
Token: SeProfSingleProcessPrivilege	3348	WMIC.exe
Token: SeIncBasePriorityPrivilege	3348	WMIC.exe
Token: SeCreatePagefilePrivilege	3348	WMIC.exe
Token: SeBackupPrivilege	3348	WMIC.exe
Token: SeRestorePrivilege	3348	WMIC.exe
Token: SeShutdownPrivilege	3348	WMIC.exe
Token: SeDebugPrivilege	3348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3348	WMIC.exe
Token: SeRemoteShutdownPrivilege	3348	WMIC.exe
Token: SeUndockPrivilege	3348	WMIC.exe
Token: SeManageVolumePrivilege	3348	WMIC.exe
Token: 33	3348	WMIC.exe
Token: 34	3348	WMIC.exe
Token: 35	3348	WMIC.exe
Token: 36	3348	WMIC.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	2588	mshta.exe
Token: SeDebugPrivilege	4792	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Client-built.exehat.exemshta.exesvchost.exe

pid process

4888 Client-built.exe
4420 hat.exe
2588 mshta.exe
4792 svchost.exe

pid	process
4888	Client-built.exe
4420	hat.exe
2588	mshta.exe
4792	svchost.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exeindex.execmd.exehat.exemshta.execmd.exesvchost.exepowershell.execsc.exepowershell.exe

description	pid	process	target process
PID 2948 wrote to memory of 4420	2948	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	hat.exe
PID 2948 wrote to memory of 4420	2948	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	hat.exe
PID 2948 wrote to memory of 4420	2948	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	hat.exe
PID 2948 wrote to memory of 2588	2948	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	mshta.exe
PID 2948 wrote to memory of 2588	2948	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	mshta.exe
PID 2948 wrote to memory of 3968	2948	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	ONPE.exe
PID 2948 wrote to memory of 3968	2948	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	ONPE.exe
PID 2948 wrote to memory of 4792	2948	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	svchost.exe
PID 2948 wrote to memory of 4792	2948	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	svchost.exe
PID 2948 wrote to memory of 4888	2948	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	Client-built.exe
PID 2948 wrote to memory of 4888	2948	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	Client-built.exe
PID 2948 wrote to memory of 2068	2948	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	index.exe
PID 2948 wrote to memory of 2068	2948	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	index.exe
PID 2068 wrote to memory of 4136	2068	index.exe	cmd.exe
PID 2068 wrote to memory of 4136	2068	index.exe	cmd.exe
PID 2068 wrote to memory of 1000	2068	index.exe	cmd.exe
PID 2068 wrote to memory of 1000	2068	index.exe	cmd.exe
PID 4136 wrote to memory of 1720	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 1720	4136	cmd.exe	powershell.exe
PID 4420 wrote to memory of 2044	4420	hat.exe	schtasks.exe
PID 4420 wrote to memory of 2044	4420	hat.exe	schtasks.exe
PID 4420 wrote to memory of 2044	4420	hat.exe	schtasks.exe
PID 2588 wrote to memory of 804	2588	mshta.exe	powershell.exe
PID 2588 wrote to memory of 804	2588	mshta.exe	powershell.exe
PID 1000 wrote to memory of 2852	1000	cmd.exe	svchost.exe
PID 1000 wrote to memory of 2852	1000	cmd.exe	svchost.exe
PID 4792 wrote to memory of 2764	4792	svchost.exe	powershell.exe
PID 4792 wrote to memory of 2764	4792	svchost.exe	powershell.exe
PID 1720 wrote to memory of 3348	1720	powershell.exe	WMIC.exe
PID 1720 wrote to memory of 3348	1720	powershell.exe	WMIC.exe
PID 1000 wrote to memory of 1540	1000	cmd.exe	powershell.exe
PID 1000 wrote to memory of 1540	1000	cmd.exe	powershell.exe
PID 3348 wrote to memory of 548	3348	csc.exe	cvtres.exe
PID 3348 wrote to memory of 548	3348	csc.exe	cvtres.exe
PID 1540 wrote to memory of 3348	1540	powershell.exe	WMIC.exe
PID 1540 wrote to memory of 3348	1540	powershell.exe	WMIC.exe
PID 2588 wrote to memory of 3628	2588	mshta.exe	powershell.exe
PID 2588 wrote to memory of 3628	2588	mshta.exe	powershell.exe
PID 1540 wrote to memory of 4568	1540	powershell.exe	taskkill.exe
PID 1540 wrote to memory of 4568	1540	powershell.exe	taskkill.exe
PID 4792 wrote to memory of 1452	4792	svchost.exe	powershell.exe
PID 4792 wrote to memory of 1452	4792	svchost.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe
"C:\Users\Admin\AppData\Local\Temp\9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\hat.exe
"C:\Users\Admin\AppData\Local\Temp\hat.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Users\Admin\AppData\Local\Temp\mshta.exe
"C:\Users\Admin\AppData\Local\Temp\mshta.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mshta.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Users\Admin\AppData\Local\Temp\ONPE.exe
"C:\Users\Admin\AppData\Local\Temp\ONPE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Users\Admin\AppData\Local\Temp\index.exe
"C:\Users\Admin\AppData\Local\Temp\index.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\system32\cmd.exe
cmd.exe /C call powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
3⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ejoyxkv1\ejoyxkv1.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF194.tmp" "c:\Users\Admin\AppData\Local\Temp\ejoyxkv1\CSCA8C21895BBF6466C82DFB9B8F41F914.TMP"
6⤵
PID:548

C:\Windows\system32\cmd.exe
cmd.exe /C call C:\Users\Admin\AppData\Local\Temp\5a12aaf792a7efda8670f53fd4fa1e3d.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\5a12aaf792a7efda8670f53fd4fa1e3d.bat"
4⤵
PID:2852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im cmd.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=3048 /prefetch:8
1⤵
PID:4992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2852

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ae343a0c544713797d1582baed41cd6c

SHA1
170efb0fbebe36a6f605c6cfd664525f1158a58e

SHA256
dbc33d6f061613aaf9ec0a3472b37ec709ac168cde70c7b48c5807765f3ed292

SHA512
68afed158e066e67d6526627ceda320e1702779b95b8fe597ef573c1be7bcef0dc19f0e6fc17e8103c16fb0aa77d83e06e5f64435100d60193e3ee72e9bbc8b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a12aaf792a7efda8670f53fd4fa1e3d.bat
Filesize
3.5MB

MD5
921a93456ac88d47914c5de9c9b33f7b

SHA1
b0f3b9d4200e807a8b66cf3b89dcb67a7b2d741b

SHA256
9427b87405fa4abf26b8aa85352dc8536c4e652d36cd0674bee60ae04c92f2a0

SHA512
14f5f1f414cdc4ed6fbafb9e647006f5aaf9be10bf2ac2096f728ca4a68375781c545fbecd2a0370a2038f45a92e26df6c07d453f2a57093020284a7c9b7db81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
Filesize
3.1MB

MD5
3609d79a3bd384ec00861417a1795932

SHA1
1e2beac3970f2debf5376ed1c4197380d1b1ab39

SHA256
ac77d98fe33fad34e96b6679e70dfb7fe1664249c8961da35b780ff0ef9feb80

SHA512
9ffcec4d0cf24bd199f26eda0b3f1528c9c46224ebc415f9adfe189af9ac2900fbfbb47dc29ba8b9f05b9e53d5b9907d3c51b753ce5d3e694029a86c624c8019

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONPE.exe
Filesize
63KB

MD5
27fe9341167a34f606b800303ac54b1f

SHA1
86373d218b48361bff1c23ddd08b6ab1803a51d0

SHA256
29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d

SHA512
05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF194.tmp
Filesize
1KB

MD5
3e15989b1c42c9425b98d583972aba1d

SHA1
f8c5ebfc59fce7928ac190f64f0ffcce7459a785

SHA256
8ab8235c877c8c082521fb159fa36b280aa4c9ef6697352b3a2df9a99caa8dfa

SHA512
d00543ebfb054e8134dd126ca48f782189e3321c85de384d87fdd258967df7c9fa28df4d323e369149b08d880d37996b9454c0fa5fdf6d15c728f43b3d6b9754

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_widbqrkc.qij.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejoyxkv1\ejoyxkv1.dll
Filesize
3KB

MD5
d3bc1c127aae2b2d7fb89a6a06240188

SHA1
f0717e21afa9355fa14948fbc204968b083189d1

SHA256
42ee9d82709fe9859157adbcb61ad46aa63469497026374d1a65767260626fc2

SHA512
fd174af9963a85c13ad10a9c8e8377822715fd5da0090b1eb055b662b52290310437117263498e20326d7a04c350cac74d40e37c9d0c43e0b2532749cf5e79b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hat.exe
Filesize
409KB

MD5
e10c7425705b2bd3214fa96247ee21c4

SHA1
7603536b97ab6337fa023bafcf80579c2b4059e6

SHA256
021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4

SHA512
47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\index.exe
Filesize
36.2MB

MD5
3c9563aff1bd31ffa1692db8bf1526a6

SHA1
b9038ff03f20441170548f3910f141d58f46e46f

SHA256
c722b281827e42918c087b7466b6afcf11fe715d45178556f4ecacee6edbdac2

SHA512
1ca5915b8f9b9e2fd34100cd9a4d4d5ccfd106e8c32189ddce90ec06073982871a8ae318051e9afe93247df89a5425efdea346014e2c16005e1193842b18ce0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotFjPWL.bat
Filesize
199B

MD5
736f438d6ab71467026317bae289d3a7

SHA1
a79ce69dc81aab0b8c3d7bd639d7fea9194d8864

SHA256
d2c33ee338d18cb2e931899b5b03afd3cfaa6c744c3e2797b9fd56b60732f89b

SHA512
e95ddbf5186cf8e3b52494076804c02194d87d30d8c99bb400ce14cf2bd0c81df954af333d1dd70512ba8aaf7534910112f938da353b111d2a1b7cf94b3bbb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\mshta.exe
Filesize
67KB

MD5
092a0c6fe885844fd74947e64e7fc11e

SHA1
bfe46f64f36f2e927d862a1a787f146ed2c01219

SHA256
91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2

SHA512
022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
79KB

MD5
1f1b23752df3d29e7604ba52aea85862

SHA1
bb582c6cf022098b171c4c9c7318a51de29ebcf4

SHA256
4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960

SHA512
d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ejoyxkv1\CSCA8C21895BBF6466C82DFB9B8F41F914.TMP
Filesize
652B

MD5
7776d66d31462f622339daca469a0a9e

SHA1
c45316a299996f278832908d581f8496fbf95d58

SHA256
4b9dd7c22e70952b2cda927f03e8f9be51cd96dfbbde1de810e95ce08c0ad978

SHA512
6c2fece81f74d83e605ba643518b08384c9e22022cfe355b2b4e1bfa7c5d5a80e61961b31c4c367292e2c29e3d52c709f493e504b35bcad8e10d6962b6e7ccc3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ejoyxkv1\ejoyxkv1.0.cs
Filesize
737B

MD5
3d57f8f44297464baafa6aeecd3bf4bc

SHA1
f370b4b9f8dba01fbcad979bd663d341f358a509

SHA256
415199eec01052503978381a4f88f4cd970b441fedce519905990ed8b629b0f1

SHA512
4052dd65ca0a505a36c7c344671afcadb8f82cc24b0d1d8362f61565f9d37782e00332908444f6a95286dd1785d074762b27c20be1f361eec67807fad052d798

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ejoyxkv1\ejoyxkv1.cmdline
Filesize
369B

MD5
2268a0e6aea59129ccf2e6030a03f2fb

SHA1
7a74796845c21abea6a8d4a1fa34891ce7754e1f

SHA256
2119a55fa9a484c13a4b827848a87baaac730ff82dbb568cde4c165c4465e840

SHA512
6755e880f011f808b6457ad4f0254d75dca476d43ab995735953ba72a130186c104baf3cf631df8a172816172e4726b6a48bb7e407c6ebd9d14242c10fafbc28

Download Submit
memory/1720-95-0x000001D129A30000-0x000001D129A52000-memory.dmp

Filesize
136KB

Download
memory/1720-139-0x000001D129A20000-0x000001D129A28000-memory.dmp

Filesize
32KB

Download
memory/2588-32-0x0000000000D30000-0x0000000000D48000-memory.dmp

Filesize
96KB

Download
memory/2588-79-0x00007FFFABFC0000-0x00007FFFACA81000-memory.dmp

Filesize
10.8MB

Download
memory/2588-183-0x00007FFFABFC0000-0x00007FFFACA81000-memory.dmp

Filesize
10.8MB

Download
memory/2588-182-0x00007FFFABFC0000-0x00007FFFACA81000-memory.dmp

Filesize
10.8MB

Download
memory/2588-181-0x000000001DEA0000-0x000000001DEAE000-memory.dmp

Filesize
56KB

Download
memory/2588-57-0x00007FFFABFC0000-0x00007FFFACA81000-memory.dmp

Filesize
10.8MB

Download
memory/2948-1-0x00000000001D0000-0x00000000029BE000-memory.dmp

Filesize
39.9MB

Download
memory/2948-0-0x00007FFFABFC3000-0x00007FFFABFC5000-memory.dmp

Filesize
8KB

Download
memory/3968-45-0x0000000000A10000-0x0000000000A26000-memory.dmp

Filesize
88KB

Download
memory/4420-61-0x0000000000A90000-0x0000000000AFC000-memory.dmp

Filesize
432KB

Download
memory/4420-85-0x0000000006610000-0x000000000664C000-memory.dmp

Filesize
240KB

Download
memory/4420-73-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/4420-64-0x0000000005400000-0x0000000005492000-memory.dmp

Filesize
584KB

Download
memory/4420-119-0x0000000006AE0000-0x0000000006AEA000-memory.dmp

Filesize
40KB

Download
memory/4420-84-0x00000000060D0000-0x00000000060E2000-memory.dmp

Filesize
72KB

Download
memory/4420-63-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/4792-56-0x00000000004B0000-0x00000000004CA000-memory.dmp

Filesize
104KB

Download
memory/4888-74-0x000000001C1B0000-0x000000001C200000-memory.dmp

Filesize
320KB

Download
memory/4888-62-0x0000000000DC0000-0x00000000010E4000-memory.dmp

Filesize
3.1MB

Download
memory/4888-75-0x000000001C2C0000-0x000000001C372000-memory.dmp

Filesize
712KB

Download