quasar | b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c

Analysis

max time kernel
148s
max time network
115s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-10-2022 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c.exe
Size

133KB
MD5

684eb69fd1fd9759e2a169b0dbbcb9f4
SHA1

3b83bc6a25cbd89a3bc01e4e5e26f494fbc2dc76
SHA256

b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c
SHA512

d9cb0e2d93be013fedb3c1e5d4ca232169924002830f6f76b895c9a798d467597e2eaf8ecaa89e584d34767436163d72122b74488dcc2583faa6bceb36a33a97
SSDEEP

3072:uJh7bROREmKlJJL5T++PCXSErFgEoKC2OwOKjGtSeyZZb:CvlJ7PPUSdlV5wOAGZy

Score

10^/10

quasar redline smokeloader office04 backdoor discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

80.66.87.13:80

Attributes

auth_value
19cd76dae6d01d9649fd29624fa61e51

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

80.76.51.137:4782

Mutex

9bf8fb2c-fccb-44eb-adec-7065899a9e07

Attributes

encryption_key
4F7D628B38CA922D6BB190220B885CBE1984E30E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2204-145-0x0000000002290000-0x0000000002299000-memory.dmp	family_smokeloader

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe	family_quasar
behavioral1/memory/4520-881-0x0000000000B40000-0x0000000000BC4000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

3CCA.exe4603.exe4FE7.exe614D.exe1.exe718A.exe78CF.exeYpqqnhpnidnclient-built.exe718A.exe

pid process

1640 3CCA.exe
3652 4603.exe
4244 4FE7.exe
3712 614D.exe
4160 1.exe
968 718A.exe
596 78CF.exe
4520 Ypqqnhpnidnclient-built.exe
5088 718A.exe
Deletes itself 1 IoCs

Processes:

pid process

2312
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1640	3CCA.exe
3652	4603.exe
4244	4FE7.exe
3712	614D.exe
4160	1.exe
968	718A.exe
596	78CF.exe
4520	Ypqqnhpnidnclient-built.exe
5088	718A.exe

pid	process
2312

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

718A.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hpkdbz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ckxqm\\Hpkdbz.exe\""	718A.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

83 checkip.amazonaws.com
85 checkip.amazonaws.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

718A.exe

description pid process target process

PID 968 set thread context of 5088 968 718A.exe 718A.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
83	checkip.amazonaws.com
85	checkip.amazonaws.com

description	pid	process	target process
PID 968 set thread context of 5088	968	718A.exe	718A.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4184 schtasks.exe

pid	process
4184	schtasks.exe

GoLang User-Agent 5 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	71	Go-http-client/1.1
HTTP User-Agent header	74	Go-http-client/1.1
HTTP User-Agent header	76	Go-http-client/1.1
HTTP User-Agent header	69	Go-http-client/1.1
HTTP User-Agent header	70	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

614D.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F373B387065A28848AF2F34ACE192BDDC78E9CAC	614D.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F373B387065A28848AF2F34ACE192BDDC78E9CAC\Blob = 0f0000000100000020000000927824e958a132afbcadd9e12357a0f9788ab99c5669e1ec3825e1eb5f6f54540b000000010000003e00000041006300740061006c00690073002000410075007400680065006e007400690063006100740069006f006e00200052006f006f0074002000430041000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000055926084ec963a64b96e2abe01ce0ba86a64fbfebcc7aab5afc155b37fd76066530000000100000020000000301e301c06062b811f01110130123010060a2b0601040182373c0101030200c014000000010000001400000052d8883ac89f7866ed89f37b387094c9020236d01d000000010000001000000095b4475fef63caf7452d10faa6f6362b030000000100000014000000f373b387065a28848af2f34ace192bddc78e9cac2000000001000000bf050000308205bb308203a3a0030201020208570a119742c4e3cc300d06092a864886f70d01010b0500306b310b3009060355040613024954310e300c06035504070c054d696c616e31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373127302506035504030c1e416374616c69732041757468656e7469636174696f6e20526f6f74204341301e170d3131303932323131323230325a170d3330303932323131323230325a306b310b3009060355040613024954310e300c06035504070c054d696c616e31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373127302506035504030c1e416374616c69732041757468656e7469636174696f6e20526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100a7c6c4a529a42cefe518c5b050a36f513b9f0a5ac9c248380ac21ca0187f91b587b9403fdd1d681f0883d52d1e88a0f88f568f6d9902929016d55f086c89d7e1acbc20c2b1e083518a694d00965a6f2fc0447ea30ee491cd58eedcfbc71e4547dd27b908019fa6211df5412d2f4cfd28ade08aad22b456658e86548f934329de394678a33023bacdf07d1357c05dd2836b484cc4ab9f805a5b3abdc9a7223f8027335b0eb78a0c5d073708cb6cd27a47224435c5cccc2e8edd2aedb77d660d5f615122551be346e3e33dd035629adbaf14c85ba1cc891be13026fca09b1f81a7471f04eba33992069f99d3bfd3ea4f509c19fe96871e3c65f6a31824838610e7543ea83a76244f8121c5e30f02f893944720bbfed40ed368b9ddc47a8482e3535479dddb9cd2f2079b2eb6bc3eed856def2511f2971a4261f74a97e88bb11007fa6581b2a239cff73cff18fbc6f15a8b59e202ac7b92d04e144f5945f60c5e285fb0e83f45cfcfaf9b6ffb84d3775a956fac94849eeebcc04a8f4a93f84421e2314561504e10d8e3357c4c19b4de05bfa3069fc8b5cde41fd717060d7a9574550d681afc101b62649d6de095a0c39407570d14e6bd05fbb89fe6df8be2c6e77e96f653c58034502858f01250711730bae67863bcf4b2ad9b2bb2fee1398c5eba0b2094de7b83b8ffe3568db711e93b8cf2b1c15d9da40b4c2bd9b218f5b59f4b0203010001a3633061301d0603551d0e0416041452d8883ac89f7866ed89f37b387094c9020236d0300f0603551d130101ff040530030101ff301f0603551d2304183016801452d8883ac89f7866ed89f37b387094c9020236d0300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820201000b7b7287c060a6494c8858e61d88f7146448a6d8580a0e4f1335df351dd4ed0631c8813e6ad5dd3b1a32ee903d11d22ef48ec3632e2366b067be6fb6c0133960aaa23425937552dea79dad0e878952716a163c191d83f89a2965bef43f9ad9f0f35a872171804dcbe0389b3fbbfae0304dcf86d365101918d19702b12b724268aca0bd4e5ada18bf6b9881d0fd9abe5e1548cd1115b9c0295cb4e888f73e36aeb762fd1e62de7078101c485bdabca438ba67ed553e5e57dfd403404c81a4d24f63a709420914fc00a9c280734f2ec040d9117b48ea7a02c0d3eb2801265874c1c073226d9395fd397dbb2ae3f682e32c975f4e1f9194fafe2ca3d8761ab84db2384f9bfa1d48607926e2f3fda9d09ae8708f497ad6e5bd0a0edb2df38dbfebe3a47dcbc79571e8daa37cc5c2f87492041b86aca4225340b6acfe4c76cffb9432c0359f763f6ee5906ea0a626a2b82cbed12b85fda768c8ba012bb16c741db87395e7eeb7c725f0004c00b27eb60b8b1cf3c0509e25b9e008de3666ff37a5d1bb54642cc927b54b927e65ffd32de1b94ebc7fa44121904177a6391fea9ee39fd0666f05ecaa767ebf6b16a0ebb5c7fc92542f2b11272537784c516ab0f3cc585d14f16a4815ffc207b6b18d0f8e5c5046b33dbf01984fb25954473e347b786d56932e73ea662878cd1d14bfa08f2f2eb82e8ef2148acce9b57cfb6c9d0ca5e196	614D.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F373B387065A28848AF2F34ACE192BDDC78E9CAC\Blob = 190000000100000010000000147c50fda90d6498a51e241b0e84d362030000000100000014000000f373b387065a28848af2f34ace192bddc78e9cac1d000000010000001000000095b4475fef63caf7452d10faa6f6362b14000000010000001400000052d8883ac89f7866ed89f37b387094c9020236d0530000000100000020000000301e301c06062b811f01110130123010060a2b0601040182373c0101030200c062000000010000002000000055926084ec963a64b96e2abe01ce0ba86a64fbfebcc7aab5afc155b37fd76066090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b000000010000003e00000041006300740061006c00690073002000410075007400680065006e007400690063006100740069006f006e00200052006f006f00740020004300410000000f0000000100000020000000927824e958a132afbcadd9e12357a0f9788ab99c5669e1ec3825e1eb5f6f54542000000001000000bf050000308205bb308203a3a0030201020208570a119742c4e3cc300d06092a864886f70d01010b0500306b310b3009060355040613024954310e300c06035504070c054d696c616e31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373127302506035504030c1e416374616c69732041757468656e7469636174696f6e20526f6f74204341301e170d3131303932323131323230325a170d3330303932323131323230325a306b310b3009060355040613024954310e300c06035504070c054d696c616e31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373127302506035504030c1e416374616c69732041757468656e7469636174696f6e20526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100a7c6c4a529a42cefe518c5b050a36f513b9f0a5ac9c248380ac21ca0187f91b587b9403fdd1d681f0883d52d1e88a0f88f568f6d9902929016d55f086c89d7e1acbc20c2b1e083518a694d00965a6f2fc0447ea30ee491cd58eedcfbc71e4547dd27b908019fa6211df5412d2f4cfd28ade08aad22b456658e86548f934329de394678a33023bacdf07d1357c05dd2836b484cc4ab9f805a5b3abdc9a7223f8027335b0eb78a0c5d073708cb6cd27a47224435c5cccc2e8edd2aedb77d660d5f615122551be346e3e33dd035629adbaf14c85ba1cc891be13026fca09b1f81a7471f04eba33992069f99d3bfd3ea4f509c19fe96871e3c65f6a31824838610e7543ea83a76244f8121c5e30f02f893944720bbfed40ed368b9ddc47a8482e3535479dddb9cd2f2079b2eb6bc3eed856def2511f2971a4261f74a97e88bb11007fa6581b2a239cff73cff18fbc6f15a8b59e202ac7b92d04e144f5945f60c5e285fb0e83f45cfcfaf9b6ffb84d3775a956fac94849eeebcc04a8f4a93f84421e2314561504e10d8e3357c4c19b4de05bfa3069fc8b5cde41fd717060d7a9574550d681afc101b62649d6de095a0c39407570d14e6bd05fbb89fe6df8be2c6e77e96f653c58034502858f01250711730bae67863bcf4b2ad9b2bb2fee1398c5eba0b2094de7b83b8ffe3568db711e93b8cf2b1c15d9da40b4c2bd9b218f5b59f4b0203010001a3633061301d0603551d0e0416041452d8883ac89f7866ed89f37b387094c9020236d0300f0603551d130101ff040530030101ff301f0603551d2304183016801452d8883ac89f7866ed89f37b387094c9020236d0300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820201000b7b7287c060a6494c8858e61d88f7146448a6d8580a0e4f1335df351dd4ed0631c8813e6ad5dd3b1a32ee903d11d22ef48ec3632e2366b067be6fb6c0133960aaa23425937552dea79dad0e878952716a163c191d83f89a2965bef43f9ad9f0f35a872171804dcbe0389b3fbbfae0304dcf86d365101918d19702b12b724268aca0bd4e5ada18bf6b9881d0fd9abe5e1548cd1115b9c0295cb4e888f73e36aeb762fd1e62de7078101c485bdabca438ba67ed553e5e57dfd403404c81a4d24f63a709420914fc00a9c280734f2ec040d9117b48ea7a02c0d3eb2801265874c1c073226d9395fd397dbb2ae3f682e32c975f4e1f9194fafe2ca3d8761ab84db2384f9bfa1d48607926e2f3fda9d09ae8708f497ad6e5bd0a0edb2df38dbfebe3a47dcbc79571e8daa37cc5c2f87492041b86aca4225340b6acfe4c76cffb9432c0359f763f6ee5906ea0a626a2b82cbed12b85fda768c8ba012bb16c741db87395e7eeb7c725f0004c00b27eb60b8b1cf3c0509e25b9e008de3666ff37a5d1bb54642cc927b54b927e65ffd32de1b94ebc7fa44121904177a6391fea9ee39fd0666f05ecaa767ebf6b16a0ebb5c7fc92542f2b11272537784c516ab0f3cc585d14f16a4815ffc207b6b18d0f8e5c5046b33dbf01984fb25954473e347b786d56932e73ea662878cd1d14bfa08f2f2eb82e8ef2148acce9b57cfb6c9d0ca5e196	614D.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c.exe

pid	process
2204	b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c.exe
2204	b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c.exe
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2312

pid	process
2312

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c.exe

pid	process
2204	b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c.exe
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312
2312

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4FE7.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeShutdownPrivilege	2312
Token: SeCreatePagefilePrivilege	2312
Token: SeDebugPrivilege	4244	4FE7.exe
Token: SeIncreaseQuotaPrivilege	5044	WMIC.exe
Token: SeSecurityPrivilege	5044	WMIC.exe
Token: SeTakeOwnershipPrivilege	5044	WMIC.exe
Token: SeLoadDriverPrivilege	5044	WMIC.exe
Token: SeSystemProfilePrivilege	5044	WMIC.exe
Token: SeSystemtimePrivilege	5044	WMIC.exe
Token: SeProfSingleProcessPrivilege	5044	WMIC.exe
Token: SeIncBasePriorityPrivilege	5044	WMIC.exe
Token: SeCreatePagefilePrivilege	5044	WMIC.exe
Token: SeBackupPrivilege	5044	WMIC.exe
Token: SeRestorePrivilege	5044	WMIC.exe
Token: SeShutdownPrivilege	5044	WMIC.exe
Token: SeDebugPrivilege	5044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5044	WMIC.exe
Token: SeRemoteShutdownPrivilege	5044	WMIC.exe
Token: SeUndockPrivilege	5044	WMIC.exe
Token: SeManageVolumePrivilege	5044	WMIC.exe
Token: 33	5044	WMIC.exe
Token: 34	5044	WMIC.exe
Token: 35	5044	WMIC.exe
Token: 36	5044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5044	WMIC.exe
Token: SeSecurityPrivilege	5044	WMIC.exe
Token: SeTakeOwnershipPrivilege	5044	WMIC.exe
Token: SeLoadDriverPrivilege	5044	WMIC.exe
Token: SeSystemProfilePrivilege	5044	WMIC.exe
Token: SeSystemtimePrivilege	5044	WMIC.exe
Token: SeProfSingleProcessPrivilege	5044	WMIC.exe
Token: SeIncBasePriorityPrivilege	5044	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3CCA.exe614D.execmd.exe718A.exe

description	pid	process	target process
PID 2312 wrote to memory of 1640	2312		3CCA.exe
PID 2312 wrote to memory of 1640	2312		3CCA.exe
PID 2312 wrote to memory of 1640	2312		3CCA.exe
PID 2312 wrote to memory of 3652	2312		4603.exe
PID 2312 wrote to memory of 3652	2312		4603.exe
PID 2312 wrote to memory of 3652	2312		4603.exe
PID 2312 wrote to memory of 4244	2312		4FE7.exe
PID 2312 wrote to memory of 4244	2312		4FE7.exe
PID 2312 wrote to memory of 4244	2312		4FE7.exe
PID 1640 wrote to memory of 4160	1640	3CCA.exe	1.exe
PID 1640 wrote to memory of 4160	1640	3CCA.exe	1.exe
PID 1640 wrote to memory of 4160	1640	3CCA.exe	1.exe
PID 2312 wrote to memory of 3712	2312		614D.exe
PID 2312 wrote to memory of 3712	2312		614D.exe
PID 2312 wrote to memory of 3712	2312		614D.exe
PID 2312 wrote to memory of 968	2312		718A.exe
PID 2312 wrote to memory of 968	2312		718A.exe
PID 2312 wrote to memory of 596	2312		78CF.exe
PID 2312 wrote to memory of 596	2312		78CF.exe
PID 2312 wrote to memory of 596	2312		78CF.exe
PID 2312 wrote to memory of 4700	2312		explorer.exe
PID 2312 wrote to memory of 4700	2312		explorer.exe
PID 2312 wrote to memory of 4700	2312		explorer.exe
PID 2312 wrote to memory of 4700	2312		explorer.exe
PID 3712 wrote to memory of 864	3712	614D.exe	cmd.exe
PID 3712 wrote to memory of 864	3712	614D.exe	cmd.exe
PID 3712 wrote to memory of 864	3712	614D.exe	cmd.exe
PID 2312 wrote to memory of 3220	2312		explorer.exe
PID 2312 wrote to memory of 3220	2312		explorer.exe
PID 2312 wrote to memory of 3220	2312		explorer.exe
PID 2312 wrote to memory of 1848	2312		explorer.exe
PID 2312 wrote to memory of 1848	2312		explorer.exe
PID 2312 wrote to memory of 1848	2312		explorer.exe
PID 2312 wrote to memory of 1848	2312		explorer.exe
PID 2312 wrote to memory of 2852	2312		explorer.exe
PID 2312 wrote to memory of 2852	2312		explorer.exe
PID 2312 wrote to memory of 2852	2312		explorer.exe
PID 864 wrote to memory of 5044	864	cmd.exe	WMIC.exe
PID 864 wrote to memory of 5044	864	cmd.exe	WMIC.exe
PID 864 wrote to memory of 5044	864	cmd.exe	WMIC.exe
PID 2312 wrote to memory of 5068	2312		explorer.exe
PID 2312 wrote to memory of 5068	2312		explorer.exe
PID 2312 wrote to memory of 5068	2312		explorer.exe
PID 2312 wrote to memory of 5068	2312		explorer.exe
PID 2312 wrote to memory of 2236	2312		explorer.exe
PID 2312 wrote to memory of 2236	2312		explorer.exe
PID 2312 wrote to memory of 2236	2312		explorer.exe
PID 2312 wrote to memory of 2236	2312		explorer.exe
PID 2312 wrote to memory of 4632	2312		explorer.exe
PID 2312 wrote to memory of 4632	2312		explorer.exe
PID 2312 wrote to memory of 4632	2312		explorer.exe
PID 2312 wrote to memory of 4632	2312		explorer.exe
PID 2312 wrote to memory of 4384	2312		explorer.exe
PID 2312 wrote to memory of 4384	2312		explorer.exe
PID 2312 wrote to memory of 4384	2312		explorer.exe
PID 2312 wrote to memory of 4544	2312		explorer.exe
PID 2312 wrote to memory of 4544	2312		explorer.exe
PID 2312 wrote to memory of 4544	2312		explorer.exe
PID 2312 wrote to memory of 4544	2312		explorer.exe
PID 968 wrote to memory of 2340	968	718A.exe	powershell.exe
PID 968 wrote to memory of 2340	968	718A.exe	powershell.exe
PID 968 wrote to memory of 4520	968	718A.exe	Ypqqnhpnidnclient-built.exe
PID 968 wrote to memory of 4520	968	718A.exe	Ypqqnhpnidnclient-built.exe
PID 968 wrote to memory of 5088	968	718A.exe	718A.exe

C:\Users\Admin\AppData\Local\Temp\b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c.exe
"C:\Users\Admin\AppData\Local\Temp\b28d6b994dcacc0d94a798011c1f7f6ba7bb293e0260159b60104620f320e01c.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2204

C:\Users\Admin\AppData\Local\Temp\3CCA.exe
C:\Users\Admin\AppData\Local\Temp\3CCA.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
2⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\AppData\Local\Temp\4603.exe
C:\Users\Admin\AppData\Local\Temp\4603.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Users\Admin\AppData\Local\Temp\4FE7.exe
C:\Users\Admin\AppData\Local\Temp\4FE7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Users\Admin\AppData\Local\Temp\614D.exe
C:\Users\Admin\AppData\Local\Temp\614D.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Users\Admin\AppData\Local\Temp\718A.exe
C:\Users\Admin\AppData\Local\Temp\718A.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe
"C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe"
2⤵
- Executes dropped EXE
PID:4520

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4184

C:\Users\Admin\AppData\Local\Temp\718A.exe
C:\Users\Admin\AppData\Local\Temp\718A.exe
2⤵
- Executes dropped EXE
PID:5088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
3⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\78CF.exe
C:\Users\Admin\AppData\Local\Temp\78CF.exe
1⤵
- Executes dropped EXE
PID:596

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4700

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3220

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1848

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2852

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5068

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2236

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4632

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4384

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
42d4b1d78e6e092af15c7aef34e5cf45

SHA1
6cf9d0e674430680f67260194d3185667a2bb77b

SHA256
c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

SHA512
d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
41bcafb46d3787f8e89272f987de30ce

SHA1
2e97490f5ae4426579d602f0342350a8352e5a4f

SHA256
1a296946ac595c6462fc283e7a81717085dbdb5f1bf9ba0836a1c72f9b832b00

SHA512
955f7b60962e604a38d6785350715309d433c9728483e752adddacea89afc2a24af6efb93c13e4fab32c914202b7092c08753b0822956402d4d220f2b16125dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CCA.exe
Filesize
466KB

MD5
2955a7fdcda8c0768d106b135a352173

SHA1
1de1f74183421d4f811af2dc469840c8d266eec9

SHA256
3238f627cf753b195a814ad7a01bd16fa13616802e39f48a981c5c8703a2ff6f

SHA512
c87bf10bc4eaaa912a74da441c3a3894535e54764e60a76c505c628e70e35822fcbe147aaabd117ddacbc88294ad16243c7f721400ac64178681633db8898bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CCA.exe
Filesize
466KB

MD5
2955a7fdcda8c0768d106b135a352173

SHA1
1de1f74183421d4f811af2dc469840c8d266eec9

SHA256
3238f627cf753b195a814ad7a01bd16fa13616802e39f48a981c5c8703a2ff6f

SHA512
c87bf10bc4eaaa912a74da441c3a3894535e54764e60a76c505c628e70e35822fcbe147aaabd117ddacbc88294ad16243c7f721400ac64178681633db8898bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4603.exe
Filesize
315KB

MD5
e906b58bdb9d838c9b0065d8bd61a5eb

SHA1
41f761de7dd6184691dfa9dda0badaeefb207806

SHA256
1a8df374fa85e671cfab78e3aa0f32a1e0031d37778ce43a4b83a7e2205a6934

SHA512
905e0c7410a9aaee822af4738e5e79b7b9e2cf13e905499d6b92820cddc1ef6dc7a9ad6dbf0cf675e7297cb3a76d92ad7c3bbadcf82b372a7175f79c4182128e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4603.exe
Filesize
315KB

MD5
e906b58bdb9d838c9b0065d8bd61a5eb

SHA1
41f761de7dd6184691dfa9dda0badaeefb207806

SHA256
1a8df374fa85e671cfab78e3aa0f32a1e0031d37778ce43a4b83a7e2205a6934

SHA512
905e0c7410a9aaee822af4738e5e79b7b9e2cf13e905499d6b92820cddc1ef6dc7a9ad6dbf0cf675e7297cb3a76d92ad7c3bbadcf82b372a7175f79c4182128e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FE7.exe
Filesize
237KB

MD5
d721aa5fb80cb8439585838732ddda66

SHA1
e0ff77d67729bc979068408358cb29dbbf40cf22

SHA256
3fe71ff72cc08157f0cbb93be5051ae98b8ae88546f7bd1e1bee06bfa542dba2

SHA512
5d685d11467fda77e2cfb1223dd22f10c3a3e9262516e8be8ee57d3df9b32bb472174603071c3af7d1d4bf7794776a801d1ea5266392cf5dc5df88c35e851e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FE7.exe
Filesize
237KB

MD5
d721aa5fb80cb8439585838732ddda66

SHA1
e0ff77d67729bc979068408358cb29dbbf40cf22

SHA256
3fe71ff72cc08157f0cbb93be5051ae98b8ae88546f7bd1e1bee06bfa542dba2

SHA512
5d685d11467fda77e2cfb1223dd22f10c3a3e9262516e8be8ee57d3df9b32bb472174603071c3af7d1d4bf7794776a801d1ea5266392cf5dc5df88c35e851e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\614D.exe
Filesize
4.3MB

MD5
06a1dc7aae769814998f99c0bca5ea41

SHA1
81ea40089386bffadd0e0a6bb780b7ddd4dc71a9

SHA256
ed14ed57c0a785e01024deffe5a05a79ed9d61a21c58ea8be136c79d31e2daa6

SHA512
aa4a4f8cfe7d7e68c6751e518763cbc509a7ba31699dc7541104170af1a19b439e9ae687d92c8b09450088317e58b5fc78b921646ddba0a28b1f080b7190f65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\614D.exe
Filesize
4.3MB

MD5
06a1dc7aae769814998f99c0bca5ea41

SHA1
81ea40089386bffadd0e0a6bb780b7ddd4dc71a9

SHA256
ed14ed57c0a785e01024deffe5a05a79ed9d61a21c58ea8be136c79d31e2daa6

SHA512
aa4a4f8cfe7d7e68c6751e518763cbc509a7ba31699dc7541104170af1a19b439e9ae687d92c8b09450088317e58b5fc78b921646ddba0a28b1f080b7190f65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\718A.exe
Filesize
4.0MB

MD5
9d44f4ff76a3fd78599ad60e2222f31e

SHA1
3c1e0a1bbcd66117fc1448da09ed27d8afef89c8

SHA256
684c5c936be10e93272aab54dba6d4492fffdf8eea4363e1e8767c744cb70b00

SHA512
b93729de3839fe79e0d9617e66e572c3d2f21da5f89aea23bd29e2970fad255c1c0b50ec82547497d513331e7e654a965b66f066672c0aec003ba203cc02df7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\718A.exe
Filesize
4.0MB

MD5
9d44f4ff76a3fd78599ad60e2222f31e

SHA1
3c1e0a1bbcd66117fc1448da09ed27d8afef89c8

SHA256
684c5c936be10e93272aab54dba6d4492fffdf8eea4363e1e8767c744cb70b00

SHA512
b93729de3839fe79e0d9617e66e572c3d2f21da5f89aea23bd29e2970fad255c1c0b50ec82547497d513331e7e654a965b66f066672c0aec003ba203cc02df7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\718A.exe
Filesize
4.0MB

MD5
9d44f4ff76a3fd78599ad60e2222f31e

SHA1
3c1e0a1bbcd66117fc1448da09ed27d8afef89c8

SHA256
684c5c936be10e93272aab54dba6d4492fffdf8eea4363e1e8767c744cb70b00

SHA512
b93729de3839fe79e0d9617e66e572c3d2f21da5f89aea23bd29e2970fad255c1c0b50ec82547497d513331e7e654a965b66f066672c0aec003ba203cc02df7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\78CF.exe
Filesize
236KB

MD5
ae135c9b09deb9a72e3fa5286aa473e7

SHA1
d544617488a05590be04e771932ccff8b3e43e46

SHA256
49aacad637554371e55dae62d643fffcfc5b13c80a6474804321ae4f399a7a24

SHA512
756d1a143824a7ff6f48820c43ded94d866e3f386e8b353905eb6dcd446c3103592de90f97d6102406de75e52882acd329e924695ea4bfcc5d54b058d87d5205

Download Submit
C:\Users\Admin\AppData\Local\Temp\78CF.exe
Filesize
236KB

MD5
ae135c9b09deb9a72e3fa5286aa473e7

SHA1
d544617488a05590be04e771932ccff8b3e43e46

SHA256
49aacad637554371e55dae62d643fffcfc5b13c80a6474804321ae4f399a7a24

SHA512
756d1a143824a7ff6f48820c43ded94d866e3f386e8b353905eb6dcd446c3103592de90f97d6102406de75e52882acd329e924695ea4bfcc5d54b058d87d5205

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe
Filesize
502KB

MD5
261a200221b82c1df863923bde9a7b28

SHA1
1e5f3779911c5e0b8f91943fa496f527d96fd498

SHA256
7644f638ac181cb63d518e053e9e5878f64df8c7fdadb6423662ed9d0a11da71

SHA512
55b25a8aaf3b29b3fc9266140cb9574019124d611bb6293ee0b37690dc64f0ad5a77f343a52739bdc82bdfab8158bbe5090c73bfea2a33b787443dc25d13b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe
Filesize
502KB

MD5
261a200221b82c1df863923bde9a7b28

SHA1
1e5f3779911c5e0b8f91943fa496f527d96fd498

SHA256
7644f638ac181cb63d518e053e9e5878f64df8c7fdadb6423662ed9d0a11da71

SHA512
55b25a8aaf3b29b3fc9266140cb9574019124d611bb6293ee0b37690dc64f0ad5a77f343a52739bdc82bdfab8158bbe5090c73bfea2a33b787443dc25d13b753

Download Submit
C:\Windows\Temp\1.exe
Filesize
369KB

MD5
4a32a16c5a3c79ade487c098ee71a2be

SHA1
414b203eeb20ac7e74316fd2877ca4ebf52193df

SHA256
61059bd8f3bdb2b07ca01c87efe6284b8b3b77ca63e9a063e0e9010774a482a4

SHA512
6470c0269052bbccea48bfb5da80cdcf96fec71e0e45ae79a42acacd7c4d92139ccc6f122ab97e5b104fc93bee84891850a80aa9c835c0b31418f151517b1ee5

Download Submit
C:\Windows\Temp\1.exe
Filesize
369KB

MD5
4a32a16c5a3c79ade487c098ee71a2be

SHA1
414b203eeb20ac7e74316fd2877ca4ebf52193df

SHA256
61059bd8f3bdb2b07ca01c87efe6284b8b3b77ca63e9a063e0e9010774a482a4

SHA512
6470c0269052bbccea48bfb5da80cdcf96fec71e0e45ae79a42acacd7c4d92139ccc6f122ab97e5b104fc93bee84891850a80aa9c835c0b31418f151517b1ee5

Download Submit
memory/596-805-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/596-372-0x0000000000000000-mapping.dmp

Download
memory/596-517-0x000000000085A000-0x0000000000884000-memory.dmp

Filesize
168KB

Download
memory/596-522-0x00000000021E0000-0x0000000002218000-memory.dmp

Filesize
224KB

Download
memory/596-526-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/596-804-0x000000000085A000-0x0000000000884000-memory.dmp

Filesize
168KB

Download
memory/864-414-0x0000000000000000-mapping.dmp

Download
memory/968-366-0x0000000000000000-mapping.dmp

Download
memory/968-369-0x000001C7CF260000-0x000001C7CF664000-memory.dmp

Filesize
4.0MB

Download
memory/968-664-0x000001C7E9EC0000-0x000001C7EA0C4000-memory.dmp

Filesize
2.0MB

Download
memory/968-728-0x000001C7E9B10000-0x000001C7E9BA2000-memory.dmp

Filesize
584KB

Download
memory/968-739-0x000001C7CFA60000-0x000001C7CFA82000-memory.dmp

Filesize
136KB

Download
memory/1640-162-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-185-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-161-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-163-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-164-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-165-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-179-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-192-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-191-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-190-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-183-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-166-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-167-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-168-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-169-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-170-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-171-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-172-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-174-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-173-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-175-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-176-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-178-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-180-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-159-0x0000000000000000-mapping.dmp

Download
memory/1640-189-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-188-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1848-438-0x0000000000000000-mapping.dmp

Download
memory/2204-147-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-122-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-124-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-120-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-152-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-158-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2204-157-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-156-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-127-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-151-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-154-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-133-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-125-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-126-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-150-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-149-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-148-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-121-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-155-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-123-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-144-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/2204-129-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-146-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2204-145-0x0000000002290000-0x0000000002299000-memory.dmp

Filesize
36KB

Download
memory/2204-130-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-128-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-131-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-143-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-132-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-134-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-142-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-140-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-139-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-138-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-137-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-136-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-153-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-135-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2236-781-0x0000000000930000-0x0000000000939000-memory.dmp

Filesize
36KB

Download
memory/2236-779-0x0000000000940000-0x0000000000945000-memory.dmp

Filesize
20KB

Download
memory/2236-860-0x0000000000940000-0x0000000000945000-memory.dmp

Filesize
20KB

Download
memory/2236-528-0x0000000000000000-mapping.dmp

Download
memory/2340-844-0x000001C9DC2B0000-0x000001C9DC326000-memory.dmp

Filesize
472KB

Download
memory/2340-795-0x0000000000000000-mapping.dmp

Download
memory/2852-465-0x0000000000000000-mapping.dmp

Download
memory/2852-800-0x0000000000EF0000-0x0000000000EF6000-memory.dmp

Filesize
24KB

Download
memory/2852-511-0x0000000000EF0000-0x0000000000EF6000-memory.dmp

Filesize
24KB

Download
memory/2852-472-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

Filesize
48KB

Download
memory/3220-754-0x00000000004B0000-0x00000000004B9000-memory.dmp

Filesize
36KB

Download
memory/3220-440-0x00000000004A0000-0x00000000004AF000-memory.dmp

Filesize
60KB

Download
memory/3220-437-0x00000000004B0000-0x00000000004B9000-memory.dmp

Filesize
36KB

Download
memory/3220-418-0x0000000000000000-mapping.dmp

Download
memory/3652-177-0x0000000000000000-mapping.dmp

Download
memory/3652-187-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/3652-186-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/3652-184-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/3652-182-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/3712-292-0x0000000000000000-mapping.dmp

Download
memory/3756-889-0x0000000000000000-mapping.dmp

Download
memory/4160-305-0x0000000000000000-mapping.dmp

Download
memory/4184-886-0x0000000000000000-mapping.dmp

Download
memory/4244-862-0x0000000006B20000-0x0000000006B3E000-memory.dmp

Filesize
120KB

Download
memory/4244-469-0x00000000005F0000-0x0000000000628000-memory.dmp

Filesize
224KB

Download
memory/4244-441-0x0000000005230000-0x0000000005836000-memory.dmp

Filesize
6.0MB

Download
memory/4244-444-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4244-452-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/4244-467-0x00000000007EA000-0x0000000000814000-memory.dmp

Filesize
168KB

Download
memory/4244-466-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/4244-286-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/4244-876-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/4244-875-0x00000000007EA000-0x0000000000814000-memory.dmp

Filesize
168KB

Download
memory/4244-539-0x0000000005950000-0x000000000599B000-memory.dmp

Filesize
300KB

Download
memory/4244-868-0x0000000007C60000-0x000000000818C000-memory.dmp

Filesize
5.2MB

Download
memory/4244-267-0x00000000005F0000-0x0000000000628000-memory.dmp

Filesize
224KB

Download
memory/4244-323-0x00000000022D0000-0x0000000002300000-memory.dmp

Filesize
192KB

Download
memory/4244-264-0x00000000007EA000-0x0000000000814000-memory.dmp

Filesize
168KB

Download
memory/4244-356-0x0000000004D30000-0x000000000522E000-memory.dmp

Filesize
5.0MB

Download
memory/4244-203-0x0000000000000000-mapping.dmp

Download
memory/4244-867-0x0000000007A90000-0x0000000007C52000-memory.dmp

Filesize
1.8MB

Download
memory/4244-866-0x0000000007930000-0x0000000007980000-memory.dmp

Filesize
320KB

Download
memory/4244-861-0x0000000006A70000-0x0000000006AE6000-memory.dmp

Filesize
472KB

Download
memory/4244-840-0x00000000066A0000-0x0000000006732000-memory.dmp

Filesize
584KB

Download
memory/4244-361-0x00000000024B0000-0x00000000024E0000-memory.dmp

Filesize
192KB

Download
memory/4244-842-0x0000000006740000-0x00000000067A6000-memory.dmp

Filesize
408KB

Download
memory/4384-607-0x00000000005D0000-0x00000000005DD000-memory.dmp

Filesize
52KB

Download
memory/4384-827-0x00000000005E0000-0x00000000005E7000-memory.dmp

Filesize
28KB

Download
memory/4384-628-0x00000000005E0000-0x00000000005E7000-memory.dmp

Filesize
28KB

Download
memory/4384-597-0x0000000000000000-mapping.dmp

Download
memory/4520-881-0x0000000000B40000-0x0000000000BC4000-memory.dmp

Filesize
528KB

Download
memory/4520-878-0x0000000000000000-mapping.dmp

Download
memory/4544-620-0x0000000000000000-mapping.dmp

Download
memory/4544-812-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/4544-806-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/4632-562-0x0000000000000000-mapping.dmp

Download
memory/4700-566-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/4700-603-0x0000000000110000-0x000000000011B000-memory.dmp

Filesize
44KB

Download
memory/4700-381-0x0000000000000000-mapping.dmp

Download
memory/5044-483-0x0000000000000000-mapping.dmp

Download
memory/5068-859-0x00000000005B0000-0x00000000005D2000-memory.dmp

Filesize
136KB

Download
memory/5068-757-0x00000000005B0000-0x00000000005D2000-memory.dmp

Filesize
136KB

Download
memory/5068-777-0x0000000000580000-0x00000000005A7000-memory.dmp

Filesize
156KB

Download
memory/5068-494-0x0000000000000000-mapping.dmp

Download
memory/5088-883-0x0000000000400000-mapping.dmp

Download
memory/5088-885-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/5088-887-0x00000245F9480000-0x00000245F95AA000-memory.dmp

Filesize
1.2MB

Download
memory/5088-888-0x00000245F93E0000-0x00000245F9472000-memory.dmp

Filesize
584KB

Download