quasar | 427895a73d7150c8f132f251c230ae0686ee0b89e13e46258f40b0de1cc5e638

Resubmissions

14-06-2024 04:34

240614-e7engsvfqb 10

10-09-2023 03:56

230910-ehlqhafa99 10

10-09-2023 03:52

230910-ee9yxsfa96 10

Analysis

max time kernel
151s
max time network
166s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-09-2023 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ImageLoggerV12.exe
Size

67.2MB
MD5

c32642c9ee6b0645a1b8e79827d3b527
SHA1

c91233c4cb87e810989c4135aa5956aadb74240a
SHA256

427895a73d7150c8f132f251c230ae0686ee0b89e13e46258f40b0de1cc5e638
SHA512

6447dc0a21efe22b7b80143e34aeba0e0a788a6d7802f16ae9430fb2040284ea8254b4740da84229447410e4ddbadc235b1cebcf8d797915b66c83aa88c8b2fc
SSDEEP

1572864:132XjX2pJxhQnieFTnt9bN4bfZDbNmkXfSWd+Ut8y4:1N7iTn2dDJF6WDO

Score

10^/10

quasar xmrig office04 miner spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

NareReti-40382.portmap.host:40382

Mutex

1f3547a3-6112-47d5-9c48-4fb1bd3d6344

Attributes

encryption_key
CE886B4F24E457903274F7555F940215147255CD
install_name
CasNic.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Google Chrome
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\GC.exe	family_quasar
behavioral1/memory/1092-65-0x0000000001150000-0x0000000001474000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Local\Temp\GC.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe	family_quasar
behavioral1/memory/2480-101-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/memory/1596-110-0x0000000002630000-0x00000000026B0000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

Processes:

mainPannel.exeupdater.exe

description	pid	process	target process
PID 2540 created 1280	2540	mainPannel.exe	Explorer.EXE
PID 2540 created 1280	2540	mainPannel.exe	Explorer.EXE
PID 2540 created 1280	2540	mainPannel.exe	Explorer.EXE
PID 2540 created 1280	2540	mainPannel.exe	Explorer.EXE
PID 1996 created 1280	1996	updater.exe	Explorer.EXE
PID 1996 created 1280	1996	updater.exe	Explorer.EXE
PID 1996 created 1280	1996	updater.exe	Explorer.EXE
PID 1996 created 1280	1996	updater.exe	Explorer.EXE
PID 1996 created 1280	1996	updater.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1996-168-0x000000013F360000-0x0000000142BEE000-memory.dmp	xmrig
behavioral1/memory/1896-172-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1896-175-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1896-178-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1896-180-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1896-182-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1896-184-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

13 1896 cmd.exe
Executes dropped EXE 8 IoCs

Processes:

Logger.exeLogger.exemainPannel.exeUI.exeGC.exeExplorer.EXECasNic.exeupdater.exe

pid process

2752 Logger.exe
2668 Logger.exe
2540 mainPannel.exe
3040 UI.exe
1092 GC.exe
1280 Explorer.EXE
2480 CasNic.exe
1996 updater.exe
Loads dropped DLL 6 IoCs

Processes:

ImageLoggerV12.exeLogger.exeLogger.exeExplorer.EXEtaskeng.exe

pid process

1064 ImageLoggerV12.exe
2752 Logger.exe
2668 Logger.exe
1064 ImageLoggerV12.exe
1280 Explorer.EXE
1452 taskeng.exe

flow	pid	process
13	1896	cmd.exe

pid	process
2752	Logger.exe
2668	Logger.exe
2540	mainPannel.exe
3040	UI.exe
1092	GC.exe
1280	Explorer.EXE
2480	CasNic.exe
1996	updater.exe

pid	process
1064	ImageLoggerV12.exe
2752	Logger.exe
2668	Logger.exe
1064	ImageLoggerV12.exe
1280	Explorer.EXE
1452	taskeng.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI27522\python311.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI27522\python311.dll	upx
behavioral1/memory/2668-44-0x000007FEEC1A0000-0x000007FEEC789000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 1996 set thread context of 1524	1996	updater.exe	conhost.exe
PID 1996 set thread context of 1896	1996	updater.exe	cmd.exe

Drops file in Program Files directory 2 IoCs

Processes:

mainPannel.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	mainPannel.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3020 schtasks.exe
1880 schtasks.exe
3024 schtasks.exe
1124 schtasks.exe

pid	process
3020	schtasks.exe
1880	schtasks.exe
3024	schtasks.exe
1124	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 7056e7609be3d901	powershell.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

powershell.exemainPannel.exepowershell.exepowershell.exeupdater.exepowershell.exepowershell.exe

pid	process
2592	powershell.exe
2540	mainPannel.exe
2540	mainPannel.exe
1596	powershell.exe
2540	mainPannel.exe
2540	mainPannel.exe
2540	mainPannel.exe
2540	mainPannel.exe
1212	powershell.exe
2540	mainPannel.exe
2540	mainPannel.exe
1996	updater.exe
1996	updater.exe
1120	powershell.exe
1996	updater.exe
1996	updater.exe
1996	updater.exe
1996	updater.exe
2348	powershell.exe
1996	updater.exe
1996	updater.exe
1996	updater.exe
1996	updater.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

powershell.exeGC.exeCasNic.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.execmd.exe

description	pid	process
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1092	GC.exe
Token: SeDebugPrivilege	2480	CasNic.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeShutdownPrivilege	2068	powercfg.exe
Token: SeShutdownPrivilege	1204	powercfg.exe
Token: SeShutdownPrivilege	2080	powercfg.exe
Token: SeShutdownPrivilege	1656	powercfg.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeShutdownPrivilege	2216	powercfg.exe
Token: SeShutdownPrivilege	1316	powercfg.exe
Token: SeShutdownPrivilege	2420	powercfg.exe
Token: SeShutdownPrivilege	2424	powercfg.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeLockMemoryPrivilege	1896	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CasNic.exe

pid process

2480 CasNic.exe

pid	process
2480	CasNic.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

ImageLoggerV12.exeLogger.exeGC.exeCasNic.execmd.exepowershell.exetaskeng.execmd.exepowershell.exeupdater.exe

description	pid	process	target process
PID 1064 wrote to memory of 2592	1064	ImageLoggerV12.exe	powershell.exe
PID 1064 wrote to memory of 2592	1064	ImageLoggerV12.exe	powershell.exe
PID 1064 wrote to memory of 2592	1064	ImageLoggerV12.exe	powershell.exe
PID 1064 wrote to memory of 2752	1064	ImageLoggerV12.exe	Logger.exe
PID 1064 wrote to memory of 2752	1064	ImageLoggerV12.exe	Logger.exe
PID 1064 wrote to memory of 2752	1064	ImageLoggerV12.exe	Logger.exe
PID 2752 wrote to memory of 2668	2752	Logger.exe	Logger.exe
PID 2752 wrote to memory of 2668	2752	Logger.exe	Logger.exe
PID 2752 wrote to memory of 2668	2752	Logger.exe	Logger.exe
PID 1064 wrote to memory of 2540	1064	ImageLoggerV12.exe	mainPannel.exe
PID 1064 wrote to memory of 2540	1064	ImageLoggerV12.exe	mainPannel.exe
PID 1064 wrote to memory of 2540	1064	ImageLoggerV12.exe	mainPannel.exe
PID 1064 wrote to memory of 3040	1064	ImageLoggerV12.exe	UI.exe
PID 1064 wrote to memory of 3040	1064	ImageLoggerV12.exe	UI.exe
PID 1064 wrote to memory of 3040	1064	ImageLoggerV12.exe	UI.exe
PID 1064 wrote to memory of 3040	1064	ImageLoggerV12.exe	UI.exe
PID 1064 wrote to memory of 1092	1064	ImageLoggerV12.exe	GC.exe
PID 1064 wrote to memory of 1092	1064	ImageLoggerV12.exe	GC.exe
PID 1064 wrote to memory of 1092	1064	ImageLoggerV12.exe	GC.exe
PID 1092 wrote to memory of 1880	1092	GC.exe	schtasks.exe
PID 1092 wrote to memory of 1880	1092	GC.exe	schtasks.exe
PID 1092 wrote to memory of 1880	1092	GC.exe	schtasks.exe
PID 1092 wrote to memory of 2480	1092	GC.exe	CasNic.exe
PID 1092 wrote to memory of 2480	1092	GC.exe	CasNic.exe
PID 1092 wrote to memory of 2480	1092	GC.exe	CasNic.exe
PID 2480 wrote to memory of 3024	2480	CasNic.exe	schtasks.exe
PID 2480 wrote to memory of 3024	2480	CasNic.exe	schtasks.exe
PID 2480 wrote to memory of 3024	2480	CasNic.exe	schtasks.exe
PID 2548 wrote to memory of 2068	2548	cmd.exe	powercfg.exe
PID 2548 wrote to memory of 2068	2548	cmd.exe	powercfg.exe
PID 2548 wrote to memory of 2068	2548	cmd.exe	powercfg.exe
PID 2548 wrote to memory of 1204	2548	cmd.exe	powercfg.exe
PID 2548 wrote to memory of 1204	2548	cmd.exe	powercfg.exe
PID 2548 wrote to memory of 1204	2548	cmd.exe	powercfg.exe
PID 2548 wrote to memory of 2080	2548	cmd.exe	powercfg.exe
PID 2548 wrote to memory of 2080	2548	cmd.exe	powercfg.exe
PID 2548 wrote to memory of 2080	2548	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 1124	1212	powershell.exe	schtasks.exe
PID 1212 wrote to memory of 1124	1212	powershell.exe	schtasks.exe
PID 1212 wrote to memory of 1124	1212	powershell.exe	schtasks.exe
PID 2548 wrote to memory of 1656	2548	cmd.exe	powercfg.exe
PID 2548 wrote to memory of 1656	2548	cmd.exe	powercfg.exe
PID 2548 wrote to memory of 1656	2548	cmd.exe	powercfg.exe
PID 1452 wrote to memory of 1996	1452	taskeng.exe	updater.exe
PID 1452 wrote to memory of 1996	1452	taskeng.exe	updater.exe
PID 1452 wrote to memory of 1996	1452	taskeng.exe	updater.exe
PID 2208 wrote to memory of 2216	2208	cmd.exe	powercfg.exe
PID 2208 wrote to memory of 2216	2208	cmd.exe	powercfg.exe
PID 2208 wrote to memory of 2216	2208	cmd.exe	powercfg.exe
PID 2208 wrote to memory of 1316	2208	cmd.exe	powercfg.exe
PID 2208 wrote to memory of 1316	2208	cmd.exe	powercfg.exe
PID 2208 wrote to memory of 1316	2208	cmd.exe	powercfg.exe
PID 2208 wrote to memory of 2420	2208	cmd.exe	powercfg.exe
PID 2208 wrote to memory of 2420	2208	cmd.exe	powercfg.exe
PID 2208 wrote to memory of 2420	2208	cmd.exe	powercfg.exe
PID 2208 wrote to memory of 2424	2208	cmd.exe	powercfg.exe
PID 2208 wrote to memory of 2424	2208	cmd.exe	powercfg.exe
PID 2208 wrote to memory of 2424	2208	cmd.exe	powercfg.exe
PID 2348 wrote to memory of 3020	2348	powershell.exe	schtasks.exe
PID 2348 wrote to memory of 3020	2348	powershell.exe	schtasks.exe
PID 2348 wrote to memory of 3020	2348	powershell.exe	schtasks.exe
PID 1996 wrote to memory of 1524	1996	updater.exe	conhost.exe
PID 1996 wrote to memory of 1896	1996	updater.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280

C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe
"C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAawBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdgB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAeABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegBsACMAPgA="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668

C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
"C:\Users\Admin\AppData\Local\Temp\mainPannel.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2540

C:\Users\Admin\AppData\Local\Temp\UI.exe
"C:\Users\Admin\AppData\Local\Temp\UI.exe"
3⤵
- Executes dropped EXE
PID:3040

C:\Users\Admin\AppData\Local\Temp\GC.exe
"C:\Users\Admin\AppData\Local\Temp\GC.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1880

C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:1124

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:3020

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:1524

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\system32\taskeng.exe
taskeng.exe {7BB91E59-794E-46F2-84A1-8A088423A2F2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GC.exe
Filesize
3.1MB

MD5
b2bcd053c6452f8a04ba108d850f9781

SHA1
d69a9b01e46a84347317f93898c270b0df1fd4ca

SHA256
4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec

SHA512
e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GC.exe
Filesize
3.1MB

MD5
b2bcd053c6452f8a04ba108d850f9781

SHA1
d69a9b01e46a84347317f93898c270b0df1fd4ca

SHA256
4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec

SHA512
e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UI.exe
Filesize
443KB

MD5
a6d1f2686c50110de2fd76df4dcb7057

SHA1
75f47ac32fada1bb9371b45006c2b1744347790a

SHA256
ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446

SHA512
f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\UI.exe
Filesize
443KB

MD5
a6d1f2686c50110de2fd76df4dcb7057

SHA1
75f47ac32fada1bb9371b45006c2b1744347790a

SHA256
ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446

SHA512
f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\UI.exe
Filesize
443KB

MD5
a6d1f2686c50110de2fd76df4dcb7057

SHA1
75f47ac32fada1bb9371b45006c2b1744347790a

SHA256
ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446

SHA512
f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27522\python311.dll
Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
C:\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
C:\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\43NR5AJTUV2239IUQVQL.temp
Filesize
7KB

MD5
cabd4fe252753a9759c60bcfae79db86

SHA1
4debab789e3be1e9ce21670d68bcad9bfa9cdd7e

SHA256
ec44e5549491030362d58c7c3e824b7e01fd826295dbc3cd3dc6c01296626203

SHA512
cd248ce4aa2356632ec3b0e81afb3eae65e75b28ca77d5baf9e9d44a80f1e28d0e4f16e328977d1620b792a7eed34e018266bb8cb89898cb74a63a3e7100bd69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cabd4fe252753a9759c60bcfae79db86

SHA1
4debab789e3be1e9ce21670d68bcad9bfa9cdd7e

SHA256
ec44e5549491030362d58c7c3e824b7e01fd826295dbc3cd3dc6c01296626203

SHA512
cd248ce4aa2356632ec3b0e81afb3eae65e75b28ca77d5baf9e9d44a80f1e28d0e4f16e328977d1620b792a7eed34e018266bb8cb89898cb74a63a3e7100bd69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cabd4fe252753a9759c60bcfae79db86

SHA1
4debab789e3be1e9ce21670d68bcad9bfa9cdd7e

SHA256
ec44e5549491030362d58c7c3e824b7e01fd826295dbc3cd3dc6c01296626203

SHA512
cd248ce4aa2356632ec3b0e81afb3eae65e75b28ca77d5baf9e9d44a80f1e28d0e4f16e328977d1620b792a7eed34e018266bb8cb89898cb74a63a3e7100bd69

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
Filesize
3.1MB

MD5
b2bcd053c6452f8a04ba108d850f9781

SHA1
d69a9b01e46a84347317f93898c270b0df1fd4ca

SHA256
4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec

SHA512
e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
Filesize
3.1MB

MD5
b2bcd053c6452f8a04ba108d850f9781

SHA1
d69a9b01e46a84347317f93898c270b0df1fd4ca

SHA256
4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec

SHA512
e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
Filesize
3.1MB

MD5
b2bcd053c6452f8a04ba108d850f9781

SHA1
d69a9b01e46a84347317f93898c270b0df1fd4ca

SHA256
4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec

SHA512
e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27522\python311.dll
Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
\Users\Admin\AppData\Local\Temp\mainPannel.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
memory/1064-67-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1064-0-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1064-64-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1064-2-0x000000001F470000-0x000000001F4F0000-memory.dmp

Filesize
512KB

Download
memory/1064-1-0x0000000000F80000-0x00000000052AC000-memory.dmp

Filesize
67.2MB

Download
memory/1092-65-0x0000000001150000-0x0000000001474000-memory.dmp

Filesize
3.1MB

Download
memory/1092-66-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1092-99-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1092-93-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/1120-147-0x0000000019B00000-0x0000000019DE2000-memory.dmp

Filesize
2.9MB

Download
memory/1120-154-0x000007FEED960000-0x000007FEEE2FD000-memory.dmp

Filesize
9.6MB

Download
memory/1120-148-0x00000000011C0000-0x0000000001240000-memory.dmp

Filesize
512KB

Download
memory/1120-146-0x00000000011C0000-0x0000000001240000-memory.dmp

Filesize
512KB

Download
memory/1120-149-0x000007FEED960000-0x000007FEEE2FD000-memory.dmp

Filesize
9.6MB

Download
memory/1120-145-0x000007FEED960000-0x000007FEEE2FD000-memory.dmp

Filesize
9.6MB

Download
memory/1120-151-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/1120-152-0x00000000011C0000-0x0000000001240000-memory.dmp

Filesize
512KB

Download
memory/1120-153-0x00000000011C0000-0x0000000001240000-memory.dmp

Filesize
512KB

Download
memory/1212-130-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/1212-134-0x000007FEECFC0000-0x000007FEED95D000-memory.dmp

Filesize
9.6MB

Download
memory/1212-126-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/1212-128-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/1212-127-0x000007FEECFC0000-0x000007FEED95D000-memory.dmp

Filesize
9.6MB

Download
memory/1212-123-0x000000001AFF0000-0x000000001B2D2000-memory.dmp

Filesize
2.9MB

Download
memory/1212-125-0x000007FEECFC0000-0x000007FEED95D000-memory.dmp

Filesize
9.6MB

Download
memory/1212-124-0x00000000023B0000-0x00000000023B8000-memory.dmp

Filesize
32KB

Download
memory/1524-179-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1524-171-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1596-112-0x000007FEED960000-0x000007FEEE2FD000-memory.dmp

Filesize
9.6MB

Download
memory/1596-111-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/1596-109-0x000000001B0E0000-0x000000001B3C2000-memory.dmp

Filesize
2.9MB

Download
memory/1596-116-0x000007FEED960000-0x000007FEEE2FD000-memory.dmp

Filesize
9.6MB

Download
memory/1596-115-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1596-110-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1596-114-0x000007FEED960000-0x000007FEEE2FD000-memory.dmp

Filesize
9.6MB

Download
memory/1596-113-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1896-172-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1896-169-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1896-176-0x00000000003F0000-0x0000000000410000-memory.dmp

Filesize
128KB

Download
memory/1896-178-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1896-175-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1896-173-0x00000000003F0000-0x0000000000410000-memory.dmp

Filesize
128KB

Download
memory/1896-180-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1896-182-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1896-184-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1996-168-0x000000013F360000-0x0000000142BEE000-memory.dmp

Filesize
56.6MB

Download
memory/1996-150-0x000000013F360000-0x0000000142BEE000-memory.dmp

Filesize
56.6MB

Download
memory/1996-144-0x000000013F360000-0x0000000142BEE000-memory.dmp

Filesize
56.6MB

Download
memory/2348-159-0x0000000001020000-0x00000000010A0000-memory.dmp

Filesize
512KB

Download
memory/2348-162-0x000007FEECFC0000-0x000007FEED95D000-memory.dmp

Filesize
9.6MB

Download
memory/2348-160-0x000007FEECFC0000-0x000007FEED95D000-memory.dmp

Filesize
9.6MB

Download
memory/2348-158-0x0000000001020000-0x00000000010A0000-memory.dmp

Filesize
512KB

Download
memory/2348-161-0x0000000001020000-0x00000000010A0000-memory.dmp

Filesize
512KB

Download
memory/2348-157-0x000007FEECFC0000-0x000007FEED95D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-103-0x000000001B400000-0x000000001B480000-memory.dmp

Filesize
512KB

Download
memory/2480-132-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2480-133-0x000000001B400000-0x000000001B480000-memory.dmp

Filesize
512KB

Download
memory/2480-101-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/2480-100-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-137-0x000000013F640000-0x0000000142ECE000-memory.dmp

Filesize
56.6MB

Download
memory/2540-139-0x000000013F640000-0x0000000142ECE000-memory.dmp

Filesize
56.6MB

Download
memory/2540-117-0x000000013F640000-0x0000000142ECE000-memory.dmp

Filesize
56.6MB

Download
memory/2540-92-0x000000013F640000-0x0000000142ECE000-memory.dmp

Filesize
56.6MB

Download
memory/2592-45-0x000000000296B000-0x00000000029D2000-memory.dmp

Filesize
412KB

Download
memory/2592-43-0x000007FEF1FA0000-0x000007FEF293D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-37-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download
memory/2592-40-0x000007FEF1FA0000-0x000007FEF293D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-41-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2592-42-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2592-38-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/2668-44-0x000007FEEC1A0000-0x000007FEEC789000-memory.dmp

Filesize
5.9MB

Download
memory/3040-143-0x00000000048B0000-0x00000000048F0000-memory.dmp

Filesize
256KB

Download
memory/3040-68-0x0000000000FE0000-0x0000000001056000-memory.dmp

Filesize
472KB

Download
memory/3040-69-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-129-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-102-0x00000000048B0000-0x00000000048F0000-memory.dmp

Filesize
256KB

Download
memory/3040-131-0x00000000048B0000-0x00000000048F0000-memory.dmp

Filesize
256KB

Download
memory/3040-135-0x00000000048B0000-0x00000000048F0000-memory.dmp

Filesize
256KB

Download