quasar | 3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def.exe
Size

133KB
MD5

dc8fc2af8ee44281b06c649e93556e1d
SHA1

b34f8049d382830170e846e5ce3184974e619d9b
SHA256

3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def
SHA512

a29e0adb7a1f81adb205cc75f3c90cbe0d7bcad88b1cb78784b24e12129c3bd1ac1873d8db69465a9fc372c0bd39c3a1bcc9b3f7a382c5f3c52bae4744227786
SSDEEP

3072:anqHM7ORN5z60H+/6GKLoehSVVq+5ixgyTG:HZokZ7YZ5iCyT

Score

10^/10

quasar redline smokeloader fud office04 backdoor discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

fud

45.15.156.7:48638

Attributes

auth_value
da2faefdcf53c9d85fcbb82d0cbf4876

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

80.76.51.137:4782

Mutex

9bf8fb2c-fccb-44eb-adec-7065899a9e07

Attributes

encryption_key
4F7D628B38CA922D6BB190220B885CBE1984E30E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4828-133-0x0000000000810000-0x0000000000819000-memory.dmp	family_smokeloader

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3848-253-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

2B65.exe8B78.exe1.exe8EF4.exe953E.exe99C3.exeA453.exeA8E8.exeB1D2.exe2B65.exe2B65.exeYpqqnhpnidnclient-built.exeB1D2.exeClient.exe

pid	process
956	2B65.exe
336	8B78.exe
4204	1.exe
3884	8EF4.exe
3336	953E.exe
4012	99C3.exe
5092	A453.exe
4288	A8E8.exe
4704	B1D2.exe
1644	2B65.exe
3848	2B65.exe
944	Ypqqnhpnidnclient-built.exe
3720	B1D2.exe
2868	Client.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2B65.exe8B78.exeB1D2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2B65.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	8B78.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	B1D2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

A453.exeB1D2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dameon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\tools\\Dameon.exe"	A453.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hpkdbz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ckxqm\\Hpkdbz.exe\""	B1D2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

140 checkip.amazonaws.com
141 checkip.amazonaws.com

flow	ioc
140	checkip.amazonaws.com
141	checkip.amazonaws.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

8EF4.exe2B65.exeB1D2.exe

description	pid	process	target process
PID 3884 set thread context of 4084	3884	8EF4.exe	RegAsm.exe
PID 956 set thread context of 3848	956	2B65.exe	2B65.exe
PID 4704 set thread context of 3720	4704	B1D2.exe	B1D2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3140 4084 WerFault.exe RegAsm.exe
712 4288 WerFault.exe A8E8.exe
4884 4012 WerFault.exe 99C3.exe

pid	pid_target	process	target process
3140	4084	WerFault.exe	RegAsm.exe
712	4288	WerFault.exe	A8E8.exe
4884	4012	WerFault.exe	99C3.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4696 schtasks.exe
4668 schtasks.exe
3980 schtasks.exe

pid	process
4696	schtasks.exe
4668	schtasks.exe
3980	schtasks.exe

GoLang User-Agent 5 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	128	Go-http-client/1.1
HTTP User-Agent header	131	Go-http-client/1.1
HTTP User-Agent header	132	Go-http-client/1.1
HTTP User-Agent header	133	Go-http-client/1.1
HTTP User-Agent header	127	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def.exe

pid	process
4828	3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def.exe
4828	3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3048

pid	process
3048

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def.exe

pid	process
4828	3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe99C3.exeA8E8.exe8EF4.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeDebugPrivilege	4012	99C3.exe
Token: SeDebugPrivilege	4288	A8E8.exe
Token: SeDebugPrivilege	3884	8EF4.exe
Token: SeIncreaseQuotaPrivilege	4244	WMIC.exe
Token: SeSecurityPrivilege	4244	WMIC.exe
Token: SeTakeOwnershipPrivilege	4244	WMIC.exe
Token: SeLoadDriverPrivilege	4244	WMIC.exe
Token: SeSystemProfilePrivilege	4244	WMIC.exe
Token: SeSystemtimePrivilege	4244	WMIC.exe
Token: SeProfSingleProcessPrivilege	4244	WMIC.exe
Token: SeIncBasePriorityPrivilege	4244	WMIC.exe
Token: SeCreatePagefilePrivilege	4244	WMIC.exe
Token: SeBackupPrivilege	4244	WMIC.exe
Token: SeRestorePrivilege	4244	WMIC.exe
Token: SeShutdownPrivilege	4244	WMIC.exe
Token: SeDebugPrivilege	4244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4244	WMIC.exe
Token: SeRemoteShutdownPrivilege	4244	WMIC.exe
Token: SeUndockPrivilege	4244	WMIC.exe
Token: SeManageVolumePrivilege	4244	WMIC.exe
Token: 33	4244	WMIC.exe
Token: 34	4244	WMIC.exe
Token: 35	4244	WMIC.exe
Token: 36	4244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4244	WMIC.exe
Token: SeSecurityPrivilege	4244	WMIC.exe
Token: SeTakeOwnershipPrivilege	4244	WMIC.exe
Token: SeLoadDriverPrivilege	4244	WMIC.exe
Token: SeSystemProfilePrivilege	4244	WMIC.exe
Token: SeSystemtimePrivilege	4244	WMIC.exe
Token: SeProfSingleProcessPrivilege	4244	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2B65.exe8B78.exeA453.execmd.exe8EF4.exe

description	pid	process	target process
PID 3048 wrote to memory of 956	3048		2B65.exe
PID 3048 wrote to memory of 956	3048		2B65.exe
PID 3048 wrote to memory of 956	3048		2B65.exe
PID 956 wrote to memory of 1100	956	2B65.exe	powershell.exe
PID 956 wrote to memory of 1100	956	2B65.exe	powershell.exe
PID 956 wrote to memory of 1100	956	2B65.exe	powershell.exe
PID 3048 wrote to memory of 336	3048		8B78.exe
PID 3048 wrote to memory of 336	3048		8B78.exe
PID 3048 wrote to memory of 336	3048		8B78.exe
PID 336 wrote to memory of 4204	336	8B78.exe	1.exe
PID 336 wrote to memory of 4204	336	8B78.exe	1.exe
PID 336 wrote to memory of 4204	336	8B78.exe	1.exe
PID 3048 wrote to memory of 3884	3048		8EF4.exe
PID 3048 wrote to memory of 3884	3048		8EF4.exe
PID 3048 wrote to memory of 3884	3048		8EF4.exe
PID 3048 wrote to memory of 3336	3048		953E.exe
PID 3048 wrote to memory of 3336	3048		953E.exe
PID 3048 wrote to memory of 3336	3048		953E.exe
PID 3048 wrote to memory of 4012	3048		99C3.exe
PID 3048 wrote to memory of 4012	3048		99C3.exe
PID 3048 wrote to memory of 4012	3048		99C3.exe
PID 3048 wrote to memory of 5092	3048		A453.exe
PID 3048 wrote to memory of 5092	3048		A453.exe
PID 3048 wrote to memory of 5092	3048		A453.exe
PID 3048 wrote to memory of 4288	3048		A8E8.exe
PID 3048 wrote to memory of 4288	3048		A8E8.exe
PID 3048 wrote to memory of 4288	3048		A8E8.exe
PID 3048 wrote to memory of 4704	3048		B1D2.exe
PID 3048 wrote to memory of 4704	3048		B1D2.exe
PID 3048 wrote to memory of 4956	3048		explorer.exe
PID 3048 wrote to memory of 4956	3048		explorer.exe
PID 3048 wrote to memory of 4956	3048		explorer.exe
PID 3048 wrote to memory of 4956	3048		explorer.exe
PID 3048 wrote to memory of 3424	3048		explorer.exe
PID 3048 wrote to memory of 3424	3048		explorer.exe
PID 3048 wrote to memory of 3424	3048		explorer.exe
PID 3048 wrote to memory of 4112	3048		explorer.exe
PID 3048 wrote to memory of 4112	3048		explorer.exe
PID 3048 wrote to memory of 4112	3048		explorer.exe
PID 3048 wrote to memory of 4112	3048		explorer.exe
PID 3048 wrote to memory of 8	3048		explorer.exe
PID 3048 wrote to memory of 8	3048		explorer.exe
PID 3048 wrote to memory of 8	3048		explorer.exe
PID 5092 wrote to memory of 1160	5092	A453.exe	cmd.exe
PID 5092 wrote to memory of 1160	5092	A453.exe	cmd.exe
PID 5092 wrote to memory of 1160	5092	A453.exe	cmd.exe
PID 3048 wrote to memory of 3436	3048		explorer.exe
PID 3048 wrote to memory of 3436	3048		explorer.exe
PID 3048 wrote to memory of 3436	3048		explorer.exe
PID 3048 wrote to memory of 3436	3048		explorer.exe
PID 1160 wrote to memory of 4244	1160	cmd.exe	WMIC.exe
PID 1160 wrote to memory of 4244	1160	cmd.exe	WMIC.exe
PID 1160 wrote to memory of 4244	1160	cmd.exe	WMIC.exe
PID 3048 wrote to memory of 4328	3048		explorer.exe
PID 3048 wrote to memory of 4328	3048		explorer.exe
PID 3048 wrote to memory of 4328	3048		explorer.exe
PID 3048 wrote to memory of 4328	3048		explorer.exe
PID 3048 wrote to memory of 2392	3048		explorer.exe
PID 3048 wrote to memory of 2392	3048		explorer.exe
PID 3048 wrote to memory of 2392	3048		explorer.exe
PID 3048 wrote to memory of 2392	3048		explorer.exe
PID 3884 wrote to memory of 4084	3884	8EF4.exe	RegAsm.exe
PID 3884 wrote to memory of 4084	3884	8EF4.exe	RegAsm.exe
PID 3884 wrote to memory of 4084	3884	8EF4.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def.exe
"C:\Users\Admin\AppData\Local\Temp\3b27cb347865bcc539b7faad94c6ed0d383e2fec84f2ec6c5d32bfb83ba03def.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4828

C:\Users\Admin\AppData\Local\Temp\2B65.exe
C:\Users\Admin\AppData\Local\Temp\2B65.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Users\Admin\AppData\Local\Temp\2B65.exe
C:\Users\Admin\AppData\Local\Temp\2B65.exe
2⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\AppData\Local\Temp\2B65.exe
C:\Users\Admin\AppData\Local\Temp\2B65.exe
2⤵
- Executes dropped EXE
PID:3848

C:\Users\Admin\AppData\Local\Temp\8B78.exe
C:\Users\Admin\AppData\Local\Temp\8B78.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
2⤵
- Executes dropped EXE
PID:4204

C:\Users\Admin\AppData\Local\Temp\8EF4.exe
C:\Users\Admin\AppData\Local\Temp\8EF4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1404
3⤵
- Program crash
PID:3140

C:\Users\Admin\AppData\Local\Temp\953E.exe
C:\Users\Admin\AppData\Local\Temp\953E.exe
1⤵
- Executes dropped EXE
PID:3336

C:\Users\Admin\AppData\Local\Temp\99C3.exe
C:\Users\Admin\AppData\Local\Temp\99C3.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1352
2⤵
- Program crash
PID:4884

C:\Users\Admin\AppData\Local\Temp\A453.exe
C:\Users\Admin\AppData\Local\Temp\A453.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
PID:1932

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
PID:5080

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
PID:1760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe -Name CreationTime -Value \"06/13/2019 3:16 PM\""
2⤵
PID:3204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe -Name LastWriteTime -Value \"06/13/2019 3:16 PM\""
2⤵
PID:1216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe -Name LastAccessTime -Value \"06/13/2019 3:16 PM\""
2⤵
PID:3660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN Dameon /TR C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe"
2⤵
PID:4472

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN Dameon /TR C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe
3⤵
- Creates scheduled task(s)
PID:4696

C:\Users\Admin\AppData\Local\Temp\A8E8.exe
C:\Users\Admin\AppData\Local\Temp\A8E8.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1344
2⤵
- Program crash
PID:712

C:\Users\Admin\AppData\Local\Temp\B1D2.exe
C:\Users\Admin\AppData\Local\Temp\B1D2.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe
"C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe"
2⤵
- Executes dropped EXE
PID:944

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4668

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
3⤵
- Executes dropped EXE
PID:2868

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:3980

C:\Users\Admin\AppData\Local\Temp\B1D2.exe
C:\Users\Admin\AppData\Local\Temp\B1D2.exe
2⤵
- Executes dropped EXE
PID:3720

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4956

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3424

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4112

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3436

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4328

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2392

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3548

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4084 -ip 4084
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4288 -ip 4288
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4012 -ip 4012
1⤵
PID:2696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
14KB

MD5
40e9bfbdce92b3d406ad388bb3dcca10

SHA1
9bd17ddbfc82346ac4e67c3f43510d802f9efa35

SHA256
c77c09d535cb6aaf12e29e531da18610b58fa6b30e7bb8ae8d37f4ee8667f8cb

SHA512
474bd5919779b27088a116246adcd201f2577fbe42d281b53d9e091a420b7cd98238f8f2f7989248484c220d5c91e55c30f4a8d4aa2a523c05a637df295ea6e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
14KB

MD5
40e9bfbdce92b3d406ad388bb3dcca10

SHA1
9bd17ddbfc82346ac4e67c3f43510d802f9efa35

SHA256
c77c09d535cb6aaf12e29e531da18610b58fa6b30e7bb8ae8d37f4ee8667f8cb

SHA512
474bd5919779b27088a116246adcd201f2577fbe42d281b53d9e091a420b7cd98238f8f2f7989248484c220d5c91e55c30f4a8d4aa2a523c05a637df295ea6e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
14KB

MD5
2e20c264947a1ddce2338c3abe74da4d

SHA1
8b960f33d93daa88b08c0cb01b2b1abc8e728267

SHA256
0b1b564d44adc00ab0720de5cecf3337d4e9b124f0ef14c520f9215124f9dcdb

SHA512
f5b518b0d91967967f6ee2dea57722f302a964b5247798efce889d113b83568aca9a08978b16140b841d093757ceaa6f6b1847bc0682cce3a69c38541e91fc4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
14KB

MD5
333a488544c9a5e205d13486889a75a4

SHA1
b95ad0fc94399d0c4e8ceefc8811e52d9258d66a

SHA256
eb6a6a0de6681be8dbb947ab31a0df4eb55d349d955769ab0efee580c0eba6be

SHA512
28f852d2596247d60b3f523bc8c8d3d991e6363b700e96c3609b1bf87d6496417e7402b6a580161ef652ed8f1206ee2f0214b2beb31ea201b338af2016087d87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1531f039d9267663f68614123b381804

SHA1
7357192b95921efc360c2ae4f127fc67131e97d2

SHA256
bd77995663340b9309c75c8ebb5920218d5108c58851df2710b4e9fd793f62ce

SHA512
c59841bca94afe6c8d2822ca0982c5471914c388a4f8dcc6920c2d85f0279eb881e03b39447b4287ab35f7b6b1d8dd15e4889741da110383be12c33d4038ce2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B65.exe
Filesize
699KB

MD5
c6f4ffde851054ec2871e72833cd9d59

SHA1
e688103c4fa3ca815732f0f70f37d11f69232e04

SHA256
25502cd9907336216d2733d966787f67c47a6ea07a7895a4fa9f26e9206dd0e7

SHA512
47264796515d6ef559b9f33f68011230ba242f5edfc47ea28cc1f788930a6e42f42c7c2963bf727ab67e86e859ae877a139af91dd0e7e95581a69888ad192fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B65.exe
Filesize
699KB

MD5
c6f4ffde851054ec2871e72833cd9d59

SHA1
e688103c4fa3ca815732f0f70f37d11f69232e04

SHA256
25502cd9907336216d2733d966787f67c47a6ea07a7895a4fa9f26e9206dd0e7

SHA512
47264796515d6ef559b9f33f68011230ba242f5edfc47ea28cc1f788930a6e42f42c7c2963bf727ab67e86e859ae877a139af91dd0e7e95581a69888ad192fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B65.exe
Filesize
699KB

MD5
c6f4ffde851054ec2871e72833cd9d59

SHA1
e688103c4fa3ca815732f0f70f37d11f69232e04

SHA256
25502cd9907336216d2733d966787f67c47a6ea07a7895a4fa9f26e9206dd0e7

SHA512
47264796515d6ef559b9f33f68011230ba242f5edfc47ea28cc1f788930a6e42f42c7c2963bf727ab67e86e859ae877a139af91dd0e7e95581a69888ad192fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B65.exe
Filesize
699KB

MD5
c6f4ffde851054ec2871e72833cd9d59

SHA1
e688103c4fa3ca815732f0f70f37d11f69232e04

SHA256
25502cd9907336216d2733d966787f67c47a6ea07a7895a4fa9f26e9206dd0e7

SHA512
47264796515d6ef559b9f33f68011230ba242f5edfc47ea28cc1f788930a6e42f42c7c2963bf727ab67e86e859ae877a139af91dd0e7e95581a69888ad192fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B78.exe
Filesize
466KB

MD5
2955a7fdcda8c0768d106b135a352173

SHA1
1de1f74183421d4f811af2dc469840c8d266eec9

SHA256
3238f627cf753b195a814ad7a01bd16fa13616802e39f48a981c5c8703a2ff6f

SHA512
c87bf10bc4eaaa912a74da441c3a3894535e54764e60a76c505c628e70e35822fcbe147aaabd117ddacbc88294ad16243c7f721400ac64178681633db8898bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B78.exe
Filesize
466KB

MD5
2955a7fdcda8c0768d106b135a352173

SHA1
1de1f74183421d4f811af2dc469840c8d266eec9

SHA256
3238f627cf753b195a814ad7a01bd16fa13616802e39f48a981c5c8703a2ff6f

SHA512
c87bf10bc4eaaa912a74da441c3a3894535e54764e60a76c505c628e70e35822fcbe147aaabd117ddacbc88294ad16243c7f721400ac64178681633db8898bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EF4.exe
Filesize
19KB

MD5
9e229acdc6f95425943cfb15de9a1e91

SHA1
9430435fa9314646715fe33f571d97f77a25dabb

SHA256
897b6b30d508755797935022663e3c0e8bb0062eab8f2528a06c508e2a611903

SHA512
68e79f186620eb3dc3e1f44392a00ebee8d256f0f56cf67bcb5c3edc91be063873052f4809a5c2785d006f688f9635dfa1e52b15dd7d0e848a024ce98f6dd455

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EF4.exe
Filesize
19KB

MD5
9e229acdc6f95425943cfb15de9a1e91

SHA1
9430435fa9314646715fe33f571d97f77a25dabb

SHA256
897b6b30d508755797935022663e3c0e8bb0062eab8f2528a06c508e2a611903

SHA512
68e79f186620eb3dc3e1f44392a00ebee8d256f0f56cf67bcb5c3edc91be063873052f4809a5c2785d006f688f9635dfa1e52b15dd7d0e848a024ce98f6dd455

Download Submit
C:\Users\Admin\AppData\Local\Temp\953E.exe
Filesize
315KB

MD5
e906b58bdb9d838c9b0065d8bd61a5eb

SHA1
41f761de7dd6184691dfa9dda0badaeefb207806

SHA256
1a8df374fa85e671cfab78e3aa0f32a1e0031d37778ce43a4b83a7e2205a6934

SHA512
905e0c7410a9aaee822af4738e5e79b7b9e2cf13e905499d6b92820cddc1ef6dc7a9ad6dbf0cf675e7297cb3a76d92ad7c3bbadcf82b372a7175f79c4182128e

Download Submit
C:\Users\Admin\AppData\Local\Temp\953E.exe
Filesize
315KB

MD5
e906b58bdb9d838c9b0065d8bd61a5eb

SHA1
41f761de7dd6184691dfa9dda0badaeefb207806

SHA256
1a8df374fa85e671cfab78e3aa0f32a1e0031d37778ce43a4b83a7e2205a6934

SHA512
905e0c7410a9aaee822af4738e5e79b7b9e2cf13e905499d6b92820cddc1ef6dc7a9ad6dbf0cf675e7297cb3a76d92ad7c3bbadcf82b372a7175f79c4182128e

Download Submit
C:\Users\Admin\AppData\Local\Temp\99C3.exe
Filesize
237KB

MD5
d721aa5fb80cb8439585838732ddda66

SHA1
e0ff77d67729bc979068408358cb29dbbf40cf22

SHA256
3fe71ff72cc08157f0cbb93be5051ae98b8ae88546f7bd1e1bee06bfa542dba2

SHA512
5d685d11467fda77e2cfb1223dd22f10c3a3e9262516e8be8ee57d3df9b32bb472174603071c3af7d1d4bf7794776a801d1ea5266392cf5dc5df88c35e851e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\99C3.exe
Filesize
237KB

MD5
d721aa5fb80cb8439585838732ddda66

SHA1
e0ff77d67729bc979068408358cb29dbbf40cf22

SHA256
3fe71ff72cc08157f0cbb93be5051ae98b8ae88546f7bd1e1bee06bfa542dba2

SHA512
5d685d11467fda77e2cfb1223dd22f10c3a3e9262516e8be8ee57d3df9b32bb472174603071c3af7d1d4bf7794776a801d1ea5266392cf5dc5df88c35e851e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\A453.exe
Filesize
4.3MB

MD5
06a1dc7aae769814998f99c0bca5ea41

SHA1
81ea40089386bffadd0e0a6bb780b7ddd4dc71a9

SHA256
ed14ed57c0a785e01024deffe5a05a79ed9d61a21c58ea8be136c79d31e2daa6

SHA512
aa4a4f8cfe7d7e68c6751e518763cbc509a7ba31699dc7541104170af1a19b439e9ae687d92c8b09450088317e58b5fc78b921646ddba0a28b1f080b7190f65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A453.exe
Filesize
4.3MB

MD5
06a1dc7aae769814998f99c0bca5ea41

SHA1
81ea40089386bffadd0e0a6bb780b7ddd4dc71a9

SHA256
ed14ed57c0a785e01024deffe5a05a79ed9d61a21c58ea8be136c79d31e2daa6

SHA512
aa4a4f8cfe7d7e68c6751e518763cbc509a7ba31699dc7541104170af1a19b439e9ae687d92c8b09450088317e58b5fc78b921646ddba0a28b1f080b7190f65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8E8.exe
Filesize
236KB

MD5
ae135c9b09deb9a72e3fa5286aa473e7

SHA1
d544617488a05590be04e771932ccff8b3e43e46

SHA256
49aacad637554371e55dae62d643fffcfc5b13c80a6474804321ae4f399a7a24

SHA512
756d1a143824a7ff6f48820c43ded94d866e3f386e8b353905eb6dcd446c3103592de90f97d6102406de75e52882acd329e924695ea4bfcc5d54b058d87d5205

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8E8.exe
Filesize
236KB

MD5
ae135c9b09deb9a72e3fa5286aa473e7

SHA1
d544617488a05590be04e771932ccff8b3e43e46

SHA256
49aacad637554371e55dae62d643fffcfc5b13c80a6474804321ae4f399a7a24

SHA512
756d1a143824a7ff6f48820c43ded94d866e3f386e8b353905eb6dcd446c3103592de90f97d6102406de75e52882acd329e924695ea4bfcc5d54b058d87d5205

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D2.exe
Filesize
4.0MB

MD5
9d44f4ff76a3fd78599ad60e2222f31e

SHA1
3c1e0a1bbcd66117fc1448da09ed27d8afef89c8

SHA256
684c5c936be10e93272aab54dba6d4492fffdf8eea4363e1e8767c744cb70b00

SHA512
b93729de3839fe79e0d9617e66e572c3d2f21da5f89aea23bd29e2970fad255c1c0b50ec82547497d513331e7e654a965b66f066672c0aec003ba203cc02df7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D2.exe
Filesize
4.0MB

MD5
9d44f4ff76a3fd78599ad60e2222f31e

SHA1
3c1e0a1bbcd66117fc1448da09ed27d8afef89c8

SHA256
684c5c936be10e93272aab54dba6d4492fffdf8eea4363e1e8767c744cb70b00

SHA512
b93729de3839fe79e0d9617e66e572c3d2f21da5f89aea23bd29e2970fad255c1c0b50ec82547497d513331e7e654a965b66f066672c0aec003ba203cc02df7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D2.exe
Filesize
4.0MB

MD5
9d44f4ff76a3fd78599ad60e2222f31e

SHA1
3c1e0a1bbcd66117fc1448da09ed27d8afef89c8

SHA256
684c5c936be10e93272aab54dba6d4492fffdf8eea4363e1e8767c744cb70b00

SHA512
b93729de3839fe79e0d9617e66e572c3d2f21da5f89aea23bd29e2970fad255c1c0b50ec82547497d513331e7e654a965b66f066672c0aec003ba203cc02df7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe
Filesize
502KB

MD5
261a200221b82c1df863923bde9a7b28

SHA1
1e5f3779911c5e0b8f91943fa496f527d96fd498

SHA256
7644f638ac181cb63d518e053e9e5878f64df8c7fdadb6423662ed9d0a11da71

SHA512
55b25a8aaf3b29b3fc9266140cb9574019124d611bb6293ee0b37690dc64f0ad5a77f343a52739bdc82bdfab8158bbe5090c73bfea2a33b787443dc25d13b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ypqqnhpnidnclient-built.exe
Filesize
502KB

MD5
261a200221b82c1df863923bde9a7b28

SHA1
1e5f3779911c5e0b8f91943fa496f527d96fd498

SHA256
7644f638ac181cb63d518e053e9e5878f64df8c7fdadb6423662ed9d0a11da71

SHA512
55b25a8aaf3b29b3fc9266140cb9574019124d611bb6293ee0b37690dc64f0ad5a77f343a52739bdc82bdfab8158bbe5090c73bfea2a33b787443dc25d13b753

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe
Filesize
530.3MB

MD5
92e3feabf7d4bbb0715ef497ee6428c4

SHA1
ca46dcd2483f8d43ed0a94a1c7f574d131628783

SHA256
7df5c5ca0db37329ccc56474603967a8078cdd3051ccb9bb0986c7ef46940f18

SHA512
c016390d3577d57adaca9b51d3b1a65a34294fa8e9971b1ed25cdaea71cf1e4152399308e98fd2acb350862e95951aba06e881c555932d2def53ae95d0bc23cc

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
502KB

MD5
261a200221b82c1df863923bde9a7b28

SHA1
1e5f3779911c5e0b8f91943fa496f527d96fd498

SHA256
7644f638ac181cb63d518e053e9e5878f64df8c7fdadb6423662ed9d0a11da71

SHA512
55b25a8aaf3b29b3fc9266140cb9574019124d611bb6293ee0b37690dc64f0ad5a77f343a52739bdc82bdfab8158bbe5090c73bfea2a33b787443dc25d13b753

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
502KB

MD5
261a200221b82c1df863923bde9a7b28

SHA1
1e5f3779911c5e0b8f91943fa496f527d96fd498

SHA256
7644f638ac181cb63d518e053e9e5878f64df8c7fdadb6423662ed9d0a11da71

SHA512
55b25a8aaf3b29b3fc9266140cb9574019124d611bb6293ee0b37690dc64f0ad5a77f343a52739bdc82bdfab8158bbe5090c73bfea2a33b787443dc25d13b753

Download Submit
C:\Windows\Temp\1.exe
Filesize
369KB

MD5
4a32a16c5a3c79ade487c098ee71a2be

SHA1
414b203eeb20ac7e74316fd2877ca4ebf52193df

SHA256
61059bd8f3bdb2b07ca01c87efe6284b8b3b77ca63e9a063e0e9010774a482a4

SHA512
6470c0269052bbccea48bfb5da80cdcf96fec71e0e45ae79a42acacd7c4d92139ccc6f122ab97e5b104fc93bee84891850a80aa9c835c0b31418f151517b1ee5

Download Submit
C:\Windows\Temp\1.exe
Filesize
369KB

MD5
4a32a16c5a3c79ade487c098ee71a2be

SHA1
414b203eeb20ac7e74316fd2877ca4ebf52193df

SHA256
61059bd8f3bdb2b07ca01c87efe6284b8b3b77ca63e9a063e0e9010774a482a4

SHA512
6470c0269052bbccea48bfb5da80cdcf96fec71e0e45ae79a42acacd7c4d92139ccc6f122ab97e5b104fc93bee84891850a80aa9c835c0b31418f151517b1ee5

Download Submit
memory/8-207-0x00000000009A0000-0x00000000009A6000-memory.dmp

Filesize
24KB

Download
memory/8-238-0x00000000009A0000-0x00000000009A6000-memory.dmp

Filesize
24KB

Download
memory/8-201-0x0000000000000000-mapping.dmp

Download
memory/8-204-0x0000000000990000-0x000000000099C000-memory.dmp

Filesize
48KB

Download
memory/336-149-0x0000000000000000-mapping.dmp

Download
memory/756-226-0x0000000000000000-mapping.dmp

Download
memory/756-228-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/756-229-0x00000000008A0000-0x00000000008AB000-memory.dmp

Filesize
44KB

Download
memory/944-269-0x0000000000000000-mapping.dmp

Download
memory/956-140-0x0000000004EF0000-0x0000000004F12000-memory.dmp

Filesize
136KB

Download
memory/956-139-0x0000000000320000-0x00000000003D0000-memory.dmp

Filesize
704KB

Download
memory/956-136-0x0000000000000000-mapping.dmp

Download
memory/1100-146-0x0000000005F00000-0x0000000005F1E000-memory.dmp

Filesize
120KB

Download
memory/1100-144-0x00000000050F0000-0x0000000005156000-memory.dmp

Filesize
408KB

Download
memory/1100-148-0x0000000006400000-0x000000000641A000-memory.dmp

Filesize
104KB

Download
memory/1100-141-0x0000000000000000-mapping.dmp

Download
memory/1100-142-0x0000000002910000-0x0000000002946000-memory.dmp

Filesize
216KB

Download
memory/1100-147-0x0000000007550000-0x0000000007BCA000-memory.dmp

Filesize
6.5MB

Download
memory/1100-143-0x0000000005260000-0x0000000005888000-memory.dmp

Filesize
6.2MB

Download
memory/1100-145-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/1160-205-0x0000000000000000-mapping.dmp

Download
memory/1216-260-0x0000000000000000-mapping.dmp

Download
memory/1644-249-0x0000000000000000-mapping.dmp

Download
memory/1760-227-0x0000000000000000-mapping.dmp

Download
memory/1932-219-0x0000000000000000-mapping.dmp

Download
memory/1948-237-0x0000000000000000-mapping.dmp

Download
memory/1948-240-0x00007FFB84620000-0x00007FFB850E1000-memory.dmp

Filesize
10.8MB

Download
memory/2392-217-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/2392-216-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/2392-215-0x0000000000000000-mapping.dmp

Download
memory/2868-280-0x0000000000000000-mapping.dmp

Download
memory/3204-235-0x0000000000000000-mapping.dmp

Download
memory/3336-163-0x0000000000000000-mapping.dmp

Download
memory/3424-234-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/3424-195-0x0000000000300000-0x000000000030F000-memory.dmp

Filesize
60KB

Download
memory/3424-194-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/3424-192-0x0000000000000000-mapping.dmp

Download
memory/3436-209-0x0000000000F30000-0x0000000000F57000-memory.dmp

Filesize
156KB

Download
memory/3436-239-0x0000000000F60000-0x0000000000F82000-memory.dmp

Filesize
136KB

Download
memory/3436-206-0x0000000000000000-mapping.dmp

Download
memory/3436-208-0x0000000000F60000-0x0000000000F82000-memory.dmp

Filesize
136KB

Download
memory/3548-225-0x0000000000F40000-0x0000000000F4D000-memory.dmp

Filesize
52KB

Download
memory/3548-224-0x0000000000F50000-0x0000000000F57000-memory.dmp

Filesize
28KB

Download
memory/3548-221-0x0000000000000000-mapping.dmp

Download
memory/3660-262-0x0000000000000000-mapping.dmp

Download
memory/3720-274-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/3720-275-0x0000000000400000-mapping.dmp

Download
memory/3848-253-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3848-251-0x0000000000000000-mapping.dmp

Download
memory/3884-162-0x00000000054C0000-0x00000000054CA000-memory.dmp

Filesize
40KB

Download
memory/3884-161-0x0000000005170000-0x000000000520C000-memory.dmp

Filesize
624KB

Download
memory/3884-160-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/3884-159-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/3884-157-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/3884-154-0x0000000000000000-mapping.dmp

Download
memory/3980-285-0x0000000000000000-mapping.dmp

Download
memory/4012-170-0x00000000021C0000-0x00000000021F8000-memory.dmp

Filesize
224KB

Download
memory/4012-199-0x0000000006F20000-0x00000000070E2000-memory.dmp

Filesize
1.8MB

Download
memory/4012-223-0x000000000062D000-0x0000000000657000-memory.dmp

Filesize
168KB

Download
memory/4012-174-0x0000000005890000-0x000000000599A000-memory.dmp

Filesize
1.0MB

Download
memory/4012-200-0x00000000070F0000-0x000000000761C000-memory.dmp

Filesize
5.2MB

Download
memory/4012-173-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/4012-198-0x0000000006E80000-0x0000000006EF6000-memory.dmp

Filesize
472KB

Download
memory/4012-172-0x0000000005270000-0x0000000005888000-memory.dmp

Filesize
6.1MB

Download
memory/4012-171-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/4012-197-0x0000000006E10000-0x0000000006E60000-memory.dmp

Filesize
320KB

Download
memory/4012-176-0x00000000059B0000-0x00000000059EC000-memory.dmp

Filesize
240KB

Download
memory/4012-166-0x0000000000000000-mapping.dmp

Download
memory/4012-169-0x000000000062D000-0x0000000000657000-memory.dmp

Filesize
168KB

Download
memory/4084-220-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4084-218-0x0000000000000000-mapping.dmp

Download
memory/4112-196-0x0000000000000000-mapping.dmp

Download
memory/4112-203-0x0000000000930000-0x0000000000939000-memory.dmp

Filesize
36KB

Download
memory/4112-236-0x0000000000940000-0x0000000000945000-memory.dmp

Filesize
20KB

Download
memory/4112-202-0x0000000000940000-0x0000000000945000-memory.dmp

Filesize
20KB

Download
memory/4204-152-0x0000000000000000-mapping.dmp

Download
memory/4244-210-0x0000000000000000-mapping.dmp

Download
memory/4288-233-0x000000000064D000-0x0000000000677000-memory.dmp

Filesize
168KB

Download
memory/4288-241-0x000000000064D000-0x0000000000677000-memory.dmp

Filesize
168KB

Download
memory/4288-193-0x000000000064D000-0x0000000000677000-memory.dmp

Filesize
168KB

Download
memory/4288-179-0x0000000000000000-mapping.dmp

Download
memory/4288-189-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/4288-188-0x0000000002210000-0x0000000002248000-memory.dmp

Filesize
224KB

Download
memory/4288-212-0x0000000006DD0000-0x0000000006DEE000-memory.dmp

Filesize
120KB

Download
memory/4328-211-0x0000000000000000-mapping.dmp

Download
memory/4328-213-0x0000000000D20000-0x0000000000D25000-memory.dmp

Filesize
20KB

Download
memory/4328-214-0x0000000000D10000-0x0000000000D19000-memory.dmp

Filesize
36KB

Download
memory/4472-264-0x0000000000000000-mapping.dmp

Download
memory/4668-279-0x0000000000000000-mapping.dmp

Download
memory/4696-266-0x0000000000000000-mapping.dmp

Download
memory/4704-230-0x00007FFB84620000-0x00007FFB850E1000-memory.dmp

Filesize
10.8MB

Download
memory/4704-232-0x0000020E15420000-0x0000020E15442000-memory.dmp

Filesize
136KB

Download
memory/4704-182-0x0000000000000000-mapping.dmp

Download
memory/4704-185-0x0000020E14BE0000-0x0000020E14FE4000-memory.dmp

Filesize
4.0MB

Download
memory/4704-187-0x00007FFB84620000-0x00007FFB850E1000-memory.dmp

Filesize
10.8MB

Download
memory/4828-135-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/4828-134-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/4828-132-0x00000000008DD000-0x00000000008ED000-memory.dmp

Filesize
64KB

Download
memory/4828-133-0x0000000000810000-0x0000000000819000-memory.dmp

Filesize
36KB

Download
memory/4956-231-0x0000000000990000-0x0000000000997000-memory.dmp

Filesize
28KB

Download
memory/4956-190-0x0000000000990000-0x0000000000997000-memory.dmp

Filesize
28KB

Download
memory/4956-186-0x0000000000000000-mapping.dmp

Download
memory/4956-191-0x0000000000980000-0x000000000098B000-memory.dmp

Filesize
44KB

Download
memory/5080-222-0x0000000000000000-mapping.dmp

Download
memory/5092-175-0x0000000000000000-mapping.dmp

Download