quasar | c4f4b783e9b152a00d5cac8b82d2ae0c74fa848aaa4a524dc5cb81b1576aaab5

Analysis

max time kernel
267s
max time network
288s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (6).exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

flow ioc

37 api.ipify.org
3812 schtasks.exe
13 ip-api.com

flow	ioc
37	api.ipify.org
3812	schtasks.exe
13	ip-api.com

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral10/memory/4888-1-0x0000000000B10000-0x0000000000B7C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exeoOxiInXyNP4E.exe

pid process

1016 Client.exe
3348 oOxiInXyNP4E.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 api.ipify.org
13 ip-api.com
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exe

pid process

3812 schtasks.exe
4484 SCHTASKS.exe
388 schtasks.exe
1424 SCHTASKS.exe

flow	ioc
37	api.ipify.org
13	ip-api.com

pid	process
3812	schtasks.exe
4484	SCHTASKS.exe
388	schtasks.exe
1424	SCHTASKS.exe

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3217732817"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3219837898"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3232707698"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31110325"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000030000000100000000000000001000000000700005e010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31110325"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3217732817"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3219884283"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bd2b5d2c6d91e4f8f2c8e8b7d41a41500000000020000000000106600000001000020000000a0e5607e0c4d6c8246aa2157324f94df3cf654a84137844d1018d84d260990d9000000000e8000000002000020000000cab544ff7671b0ace600d09ccf8ed093781b36a6198e0e052769bb3c9c3f06652000000073fd131370da01bdc1914386214689135088a20da535fd2ace9162e4a03fb5c840000000efe395f57ed520a79df546efb1a950c192c025243c9b48fbaa407012159244d82dfe2d32cb25ed41161365c11393d156fe972f52aed43fcec928cf21413a0e59	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31110325"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31110325"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EB0553F9-20A8-11EF-BCA5-EABD73F69B33} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 303db6aeb5b4da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31110325"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424074510"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Uni - Copy (6).exeClient.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	4888	Uni - Copy (6).exe
Token: SeDebugPrivilege	1016	Client.exe
Token: 33	2688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2688	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe

pid process

1176 iexplore.exe
1176 iexplore.exe
1176 iexplore.exe
1176 iexplore.exe

pid	process
1176	iexplore.exe
1176	iexplore.exe
1176	iexplore.exe
1176	iexplore.exe

Suspicious use of SetWindowsHookEx 52 IoCs

Processes:

Client.exeoOxiInXyNP4E.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1016	Client.exe
3348	oOxiInXyNP4E.exe
1176	iexplore.exe
1176	iexplore.exe
1176	iexplore.exe
1176	iexplore.exe
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
3232	IEXPLORE.EXE
3232	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
3232	IEXPLORE.EXE
3232	IEXPLORE.EXE
3232	IEXPLORE.EXE
3232	IEXPLORE.EXE
3232	IEXPLORE.EXE
3232	IEXPLORE.EXE
3232	IEXPLORE.EXE
3232	IEXPLORE.EXE
3232	IEXPLORE.EXE
3232	IEXPLORE.EXE
3232	IEXPLORE.EXE
3232	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Uni - Copy (6).exeClient.exeiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 4888 wrote to memory of 3812	4888	Uni - Copy (6).exe	schtasks.exe
PID 4888 wrote to memory of 3812	4888	Uni - Copy (6).exe	schtasks.exe
PID 4888 wrote to memory of 3812	4888	Uni - Copy (6).exe	schtasks.exe
PID 4888 wrote to memory of 1016	4888	Uni - Copy (6).exe	Client.exe
PID 4888 wrote to memory of 1016	4888	Uni - Copy (6).exe	Client.exe
PID 4888 wrote to memory of 1016	4888	Uni - Copy (6).exe	Client.exe
PID 4888 wrote to memory of 4484	4888	Uni - Copy (6).exe	SCHTASKS.exe
PID 4888 wrote to memory of 4484	4888	Uni - Copy (6).exe	SCHTASKS.exe
PID 4888 wrote to memory of 4484	4888	Uni - Copy (6).exe	SCHTASKS.exe
PID 1016 wrote to memory of 388	1016	Client.exe	schtasks.exe
PID 1016 wrote to memory of 388	1016	Client.exe	schtasks.exe
PID 1016 wrote to memory of 388	1016	Client.exe	schtasks.exe
PID 1016 wrote to memory of 3348	1016	Client.exe	oOxiInXyNP4E.exe
PID 1016 wrote to memory of 3348	1016	Client.exe	oOxiInXyNP4E.exe
PID 1016 wrote to memory of 3348	1016	Client.exe	oOxiInXyNP4E.exe
PID 1176 wrote to memory of 4224	1176	iexplore.exe	IEXPLORE.EXE
PID 1176 wrote to memory of 4224	1176	iexplore.exe	IEXPLORE.EXE
PID 1176 wrote to memory of 4224	1176	iexplore.exe	IEXPLORE.EXE
PID 1176 wrote to memory of 3232	1176	iexplore.exe	IEXPLORE.EXE
PID 1176 wrote to memory of 3232	1176	iexplore.exe	IEXPLORE.EXE
PID 1176 wrote to memory of 3232	1176	iexplore.exe	IEXPLORE.EXE
PID 4224 wrote to memory of 1980	4224	IEXPLORE.EXE	splwow64.exe
PID 4224 wrote to memory of 1980	4224	IEXPLORE.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (6).exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (6).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (6).exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:3812

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:388

C:\Users\Admin\AppData\Local\Temp\oOxiInXyNP4E.exe
"C:\Users\Admin\AppData\Local\Temp\oOxiInXyNP4E.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3348

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1424

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (6).exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (6).exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c4 0x2e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\OpenWrite.xsl
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1176 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1176 CREDAT:82946 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\OpenWrite.xsl
1⤵
- Modifies Internet Explorer settings
PID:3964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
PID:532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="532.0.1427536554\2117379599" -parentBuildID 20230214051806 -prefsHandle 1736 -prefMapHandle 1732 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc5c47a8-2b22-4bba-86be-ab1d63055bdf} 532 "\\.\pipe\gecko-crash-server-pipe.532" 1828 2995c20f958 gpu
3⤵
PID:3696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="532.1.705719459\2082076338" -parentBuildID 20230214051806 -prefsHandle 2352 -prefMapHandle 2368 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29691840-5807-4b2c-a4d9-5f8e98cf2156} 532 "\\.\pipe\gecko-crash-server-pipe.532" 2400 2994f586c58 socket
3⤵
PID:2284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="532.2.1142326018\1309331888" -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 3196 -prefsLen 22383 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fe95dc2-0797-4909-9f14-2698a5d56a94} 532 "\\.\pipe\gecko-crash-server-pipe.532" 3212 2995e92d358 tab
3⤵
PID:1872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="532.3.1408794306\1415181676" -childID 2 -isForBrowser -prefsHandle 4164 -prefMapHandle 4184 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16fbaa8e-2529-4289-b58b-43cfe45b55f7} 532 "\\.\pipe\gecko-crash-server-pipe.532" 4192 29960732d58 tab
3⤵
PID:5080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="532.4.812444868\209418048" -childID 3 -isForBrowser -prefsHandle 4860 -prefMapHandle 4796 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87b73631-4219-4bb2-afd5-f4587f6936b2} 532 "\\.\pipe\gecko-crash-server-pipe.532" 4900 29962454058 tab
3⤵
PID:1580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="532.5.480301905\1947468880" -childID 4 -isForBrowser -prefsHandle 4884 -prefMapHandle 4880 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff6fea01-53fd-451d-a791-3c6fce4579df} 532 "\\.\pipe\gecko-crash-server-pipe.532" 3160 299624b1b58 tab
3⤵
PID:744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="532.6.8112237\819041144" -childID 5 -isForBrowser -prefsHandle 5200 -prefMapHandle 5140 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ba5c3b6-04ff-4c16-9a8c-f206b95f271b} 532 "\\.\pipe\gecko-crash-server-pipe.532" 5212 299624b2158 tab
3⤵
PID:228

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Program Files\Mozilla Firefox\firefox.exe" ContextMenu
1⤵
PID:1764

C:\Windows\System32\msdt.exe
C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWBA34.xml /skip TRUE
2⤵
PID:1756

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:5500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\scoettgx\scoettgx.cmdline"
2⤵
PID:5812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD723.tmp" "c:\Users\Admin\AppData\Local\Temp\scoettgx\CSC70C7F682A3C74DF5A91ACB7BF1D9D6FF.TMP"
3⤵
PID:5848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\arbnzxjr\arbnzxjr.cmdline"
2⤵
PID:5904

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
54929d49151f3d1deb92d4882fd7f29b

SHA1
74fb1bea4c7ba9b9c69aacab601ad211cc80e12d

SHA256
39e5885ca8868a5612268f987e7007fb20526221c11af4e62426bbab4fdc2141

SHA512
3900823e9765f7cde1d6148c9d9de8079805d30f421728cf675e1c1264440be1a037394edc9c1e0a4497d2658d7897784a96062b6eb1b829ee1245fadb83087d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
fb046233fff8481eda41739d07f4ba70

SHA1
388648ae165fb0ad6b5843ca252dbd5e9d3a72e2

SHA256
c23fe0ed81cd2544dbb1d58c5800389f93958f3976c0034e3ac7badef8aea051

SHA512
0da1d80fb3013511bc2842416783c859beac666445db196bba073398be95538fb6ee11f7360f2c02c6c2e1ddabfdba2db62a4857e3e9b3e3de7229e0763825f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verA49E.tmp
Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOWSKSPC\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\4GS3HSIQ.xml
Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCWBA34.xml
Filesize
728B

MD5
6168825440dcc34b6c6e904579b13bc1

SHA1
c69fb94feba5e6c0d9cb2b7421c1f1caa5a46112

SHA256
0ffbd8da85b2d7fdee6f1a9487582ca1b5e66c37b702ac070f49443e0a83c888

SHA512
a8e7bef4452ababb4bdda886c01fcbeda67ab4ae2a451d9bc19c7510305e424d734f45ffb3385bb2ac5abb8a5ffa645f4327b05a45e987b0b81c6745ac172a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD723.tmp
Filesize
1KB

MD5
d6708a1a74947b27e36ba97792fa3634

SHA1
c2a1a9991f7e68dcf874587b7324005e3823a130

SHA256
24b0f6279100d22d22fa1c4b57fdfc3bf74bef39aeec6b834e6f62251fe21c6a

SHA512
6f069101e575187d2bc1d2c983b9cd092417020b7cc405d9240680951ca384fbf2e2cee9db04a922170b7e4393a69e8bf274ec24f0b6d50454f80fa600bdd760

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_godm4qqo.jra.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\oOxiInXyNP4E.exe
Filesize
277KB

MD5
dac0c5b2380cbdd93b46763427c9f8df

SHA1
038089e1a0ac8375be797fc3ce7ae719abc72834

SHA256
d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

SHA512
05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoettgx\scoettgx.dll
Filesize
5KB

MD5
6d98c9e7791381e4acc4137bdbefb7e6

SHA1
d747fbd6cf7ff18d42bd69b07b1ae49c3c5f1b91

SHA256
6255628f02b6acda436dc7215d9a30ef9fc6d2d7ad7880bcb3a8cbcb82e52932

SHA512
8208d0d1a949c902cdbb5aceea3f1b74f811f5c47108ec158f9001040ee0699f5a14bceb00f987d12070f42ff2d860b431a364b87acbeba17663c84c30802d8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js
Filesize
6KB

MD5
1dbca2f0f1045a1d2529466c224aade3

SHA1
aa8799298b699446b0b7a8f2cc7684f1d56760b2

SHA256
ffdfd0fde15a5713cd0c4357877e8ccf942b3f65c269209175f4802069dda05a

SHA512
1ad31b74c7c84dbd425f33c0c663b3e0897319300af9c56528e6b4b700f16399bc16cd5b93d2d971dd959300b26a0d4989b0a05319dcb0491ed4732bca38eb55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js
Filesize
6KB

MD5
c21a071a056dff1915bd62471824e009

SHA1
1fc3be62f244b73a320b06ec82774b8c8e5569bb

SHA256
ca5cc57c1e62bd42f8c3c2c65a20f5abb874c2ea68c4110b28b5c9f536466815

SHA512
b2bb3293df94f2cd96b891c8e3b0d3a932e8a2a51b4b1bc356eeee2347e5f3fcd4140751bfb8b9337bafbff39ac2937bcc954f8d011d0633d96ca90d78a1542b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js
Filesize
7KB

MD5
fb0a0fb85b557fdef646653ac10b1e4e

SHA1
3da5925459bf3f32f44efdd6bcb9390c580b5109

SHA256
55301df8045710d5ba1cb0c2aed8a20e5cb0b14c8556be5576fd3f3447cac7ca

SHA512
559fb12c05a6a1d96c396c54d4cc7408acb294e082c079143a341fa9ecb5b7773b8203775c24a36247eff135c11d8df0a9f68776a3acf01420216ca3cf23798b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs.js
Filesize
6KB

MD5
66aa276bfe243ca76b67ec4897e93a8b

SHA1
96c4f139305e002f1c58640359b289a8aba45fbd

SHA256
26072ce889b5acf69844adcad49354de8bf4c0b3f96637472185cce906e2b6ca

SHA512
8f2231fd9e5b6c370604b7dc6a4a6cb64a83b55998355d5dce2e075dfd461a9682e9fb1bbbb8b002841bd06d99664233eac6810e1382d9b4dc5778f633771a2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
9a9a5b961699ca3ef80ac65a6191712c

SHA1
afb63e2885bb046a862c9873ef60e4b54523011a

SHA256
39ec4a26c43687765f5d557fb168625aaf6d9f7f998d8054875e833a4516a9a9

SHA512
6d5d1fa9987182ee6908c8190b108476e81bed5671fcf5d8231444a015d7d128cb53138371347cfb0fb16c35f19e652c2c94664e5e912d890876ed6c60047603

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
C:\Windows\TEMP\SDIAG_d77939f7-2620-4c7f-b5a6-45cd344ccfd5\TS_ProgramCompatibilityWizard.ps1
Filesize
16KB

MD5
925f0b68b4de450cabe825365a43a05b

SHA1
b6c57383a9bd732db7234d1bb34fd75d06e1fb72

SHA256
5b1be3f6c280acfe041735c2e7c9a245e806fd7f1bf6029489698b0376e85025

SHA512
012aadec4ed60b311f2b5374db3a2e409a0708272e6217049643bf33353ab49e4e144d60260b04e3ae29def8a4e1b8ada853a93972f703ca11b827febe7725af

Download Submit
C:\Windows\TEMP\SDIAG_d77939f7-2620-4c7f-b5a6-45cd344ccfd5\en-US\CL_LocalizationData.psd1
Filesize
6KB

MD5
2c81a148f8e851ce008686f96e5bf911

SHA1
272289728564c9af2c2bd8974693a099beb354ad

SHA256
1a2381382671147f56cf137e749cb8a18f176a16793b2266a70154ee27971437

SHA512
409c2e953672b0399987ec85c7113c9154bc9d6ca87cf523485d9913bb0bf92a850638c84b8dc07a96b6366d406a094d32dc62dd76417c0d4e4ae86d8fcb8bbb

Download Submit
C:\Windows\Temp\SDIAG_d77939f7-2620-4c7f-b5a6-45cd344ccfd5\DiagPackage.dll
Filesize
65KB

MD5
79134a74dd0f019af67d9498192f5652

SHA1
90235b521e92e600d189d75f7f733c4bda02c027

SHA256
9d6e3ed51893661dfe5a98557f5e7e255bbe223e3403a42aa44ea563098c947e

SHA512
1627d3abe3a54478c131f664f43c8e91dc5d2f2f7ddc049bc30dfa065eee329ed93edd73c9b93cf07bed997f43d58842333b3678e61aceac391fbe171d8461a3

Download Submit
C:\Windows\Temp\SDIAG_d77939f7-2620-4c7f-b5a6-45cd344ccfd5\en-US\DiagPackage.dll.mui
Filesize
10KB

MD5
d7309f9b759ccb83b676420b4bde0182

SHA1
641ad24a420e2774a75168aaf1e990fca240e348

SHA256
51d06affd4db0e4b37d35d0e85b8209d5fab741904e8d03df1a27a0be102324f

SHA512
7284f2d48e1747bbc97a1dab91fb57ff659ed9a05b3fa78a7def733e809c15834c15912102f03a81019261431e9ed3c110fd96539c9628c55653e7ac21d8478d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\scoettgx\CSC70C7F682A3C74DF5A91ACB7BF1D9D6FF.TMP
Filesize
652B

MD5
5eca7d7fa375dac6e0a0bc4532404632

SHA1
37e4d2ffc110814089cd7b418de9ca62c03c767d

SHA256
b8e2e961f3c3b5eb5fed759b11aac1d4749d810c41dfee0dd7a58d2bacc28a37

SHA512
076be2fbde9148deec6e663a031ebb4dfeac803971843e3c1ee8be697e084513128ef5e3ff6c29411445943da141a66bbfef839267342387af495bfb08cc09b7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\scoettgx\scoettgx.0.cs
Filesize
5KB

MD5
fc2e5c90a6cb21475ea3d4254457d366

SHA1
68f9e628a26eb033f1ee5b7e38d440cfd598c85d

SHA256
58fcc3cfb1e17e21401e2a4b2452a6e5b8a47163008b54fdcdcc8cadff7e5c77

SHA512
c54b9ce28fa71d7e3629cdd74ac9f23cba873506f1b5825acc2aa407414ed603af4c846dcf388c579f8324e3538e63b26f90421ea9d7fcdd3b277c21bad1a5b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\scoettgx\scoettgx.cmdline
Filesize
356B

MD5
4696bfc42cdad43b590bf27b8ca5c4f8

SHA1
429480267221256dbe14038cbbcd5c36ed2e805b

SHA256
247bcf25e4248b06ee858de2e3688341581c913a34347e845b07876e6232ba78

SHA512
7ecefb23e62ecef77cb76598e7609591f7e106c63e394d0de852e85bf1f529ba2602036c3678f1758aec0448785456cf4452b716690700953e25396d75950a02

Download Submit
memory/1016-20-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/1016-95-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/1016-19-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/1016-18-0x00000000068F0000-0x00000000068FA000-memory.dmp

Filesize
40KB

Download
memory/1016-16-0x00000000062E0000-0x000000000631C000-memory.dmp

Filesize
240KB

Download
memory/1016-13-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/1016-12-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/4888-15-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/4888-0-0x00000000750BE000-0x00000000750BF000-memory.dmp

Filesize
4KB

Download
memory/4888-6-0x0000000006290000-0x00000000062A2000-memory.dmp

Filesize
72KB

Download
memory/4888-5-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/4888-4-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/4888-3-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/4888-2-0x0000000005A80000-0x0000000006024000-memory.dmp

Filesize
5.6MB

Download
memory/4888-1-0x0000000000B10000-0x0000000000B7C000-memory.dmp

Filesize
432KB

Download
memory/5500-333-0x000001BB49C80000-0x000001BB49CA2000-memory.dmp

Filesize
136KB

Download
memory/5500-353-0x000001BB49CC0000-0x000001BB49CC8000-memory.dmp

Filesize
32KB

Download