quasar | fcd5b843d50ec2f973aaa27e54b6bf045931cc3cb8d9bea4edaade352fe0f7d5

Analysis

max time kernel
300s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (15) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

pid process

384 schtasks.exe
12 ip-api.com
23 api.ipify.org

pid	process
384	schtasks.exe
12	ip-api.com
23	api.ipify.org

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral12/memory/4436-1-0x0000000000A70000-0x0000000000ADC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exeurjHh4b7knaJ.exe

pid process

2744 Client.exe
4440 urjHh4b7knaJ.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
23 api.ipify.org

flow	ioc
12	ip-api.com
23	api.ipify.org

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exePOWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exe

pid process

384 schtasks.exe
4572 SCHTASKS.exe
3008 schtasks.exe
5972 SCHTASKS.exe

pid	process
384	schtasks.exe
4572	SCHTASKS.exe
3008	schtasks.exe
5972	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exePOWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617831998671249"	chrome.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings firefox.exe
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

vlc.exePOWERPNT.EXEvlc.exe

pid process

2864 vlc.exe
6080 POWERPNT.EXE
5780 vlc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1288 chrome.exe
1288 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

vlc.exevlc.exe

pid process

2864 vlc.exe
5780 vlc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1288 chrome.exe
1288 chrome.exe
1288 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	firefox.exe

pid	process
1288	chrome.exe
1288	chrome.exe

pid	process
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Uni - Copy (15) - Copy.exeClient.exeAUDIODG.EXEfirefox.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4436	Uni - Copy (15) - Copy.exe
Token: SeDebugPrivilege	2744	Client.exe
Token: 33	8	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	8	AUDIODG.EXE
Token: SeDebugPrivilege	3528	firefox.exe
Token: SeDebugPrivilege	3528	firefox.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

vlc.exefirefox.exevlc.exechrome.exe

pid	process
2864	vlc.exe
2864	vlc.exe
2864	vlc.exe
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe
5780	vlc.exe
5780	vlc.exe
5780	vlc.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

vlc.exefirefox.exevlc.exechrome.exe

pid	process
2864	vlc.exe
2864	vlc.exe
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe
5780	vlc.exe
5780	vlc.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

Client.exeurjHh4b7knaJ.exevlc.exefirefox.exePOWERPNT.EXEvlc.exe

pid	process
2744	Client.exe
4440	urjHh4b7knaJ.exe
2864	vlc.exe
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe
6080	POWERPNT.EXE
6080	POWERPNT.EXE
5780	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (15) - Copy.exeClient.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4436 wrote to memory of 384	4436	Uni - Copy (15) - Copy.exe	schtasks.exe
PID 4436 wrote to memory of 384	4436	Uni - Copy (15) - Copy.exe	schtasks.exe
PID 4436 wrote to memory of 384	4436	Uni - Copy (15) - Copy.exe	schtasks.exe
PID 4436 wrote to memory of 2744	4436	Uni - Copy (15) - Copy.exe	Client.exe
PID 4436 wrote to memory of 2744	4436	Uni - Copy (15) - Copy.exe	Client.exe
PID 4436 wrote to memory of 2744	4436	Uni - Copy (15) - Copy.exe	Client.exe
PID 4436 wrote to memory of 4572	4436	Uni - Copy (15) - Copy.exe	SCHTASKS.exe
PID 4436 wrote to memory of 4572	4436	Uni - Copy (15) - Copy.exe	SCHTASKS.exe
PID 4436 wrote to memory of 4572	4436	Uni - Copy (15) - Copy.exe	SCHTASKS.exe
PID 2744 wrote to memory of 3008	2744	Client.exe	schtasks.exe
PID 2744 wrote to memory of 3008	2744	Client.exe	schtasks.exe
PID 2744 wrote to memory of 3008	2744	Client.exe	schtasks.exe
PID 2744 wrote to memory of 4440	2744	Client.exe	urjHh4b7knaJ.exe
PID 2744 wrote to memory of 4440	2744	Client.exe	urjHh4b7knaJ.exe
PID 2744 wrote to memory of 4440	2744	Client.exe	urjHh4b7knaJ.exe
PID 4684 wrote to memory of 3528	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 3528	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 3528	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 3528	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 3528	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 3528	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 3528	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 3528	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 3528	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 3528	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 3528	4684	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe
PID 3528 wrote to memory of 2300	3528	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:384

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3008

C:\Users\Admin\AppData\Local\Temp\urjHh4b7knaJ.exe
"C:\Users\Admin\AppData\Local\Temp\urjHh4b7knaJ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5972

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (15) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x30c 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Desktop\SkipUnpublish.3gp2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.0.1934428341\1983896767" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed4f0cb1-c012-4df8-b68e-57668da1dd9d} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 1868 24578f0ad58 gpu
3⤵
PID:2300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.1.20634339\193000293" -parentBuildID 20230214051806 -prefsHandle 2412 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ad9bf36-9ce9-4066-b86e-e6b8cbc183c7} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 2436 2456c289f58 socket
3⤵
- Checks processor information in registry
PID:4140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.2.529538284\1430596569" -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 3096 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7e7ea6e-b799-4027-af7a-59b74b8704fc} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 3112 2457be0d558 tab
3⤵
PID:4368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.3.548097086\1879111047" -childID 2 -isForBrowser -prefsHandle 4136 -prefMapHandle 4132 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11816d03-cd13-4d36-b328-efc73ed47007} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 4148 2457d7bf658 tab
3⤵
PID:988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.4.577929490\993946563" -childID 3 -isForBrowser -prefsHandle 5084 -prefMapHandle 5088 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a07533a3-8de8-48a5-926a-82c2c0a75358} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5072 2457fd09158 tab
3⤵
PID:5176

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.5.150055223\1374234263" -childID 4 -isForBrowser -prefsHandle 5232 -prefMapHandle 5236 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc22020c-c237-47ef-9307-98143a988225} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5216 2457f9b8358 tab
3⤵
PID:5188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.6.1028729366\1890653868" -childID 5 -isForBrowser -prefsHandle 5536 -prefMapHandle 5532 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {728190e5-6719-46b7-90a7-90023182325c} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5548 2457f9b6258 tab
3⤵
PID:5196

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\DisableSubmit.ppsm" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6080

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConvertToResize.m4v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8cf69ab58,0x7ff8cf69ab68,0x7ff8cf69ab78
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=2032,i,905704900510476347,16299063283248063821,131072 /prefetch:2
2⤵
PID:5896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=2032,i,905704900510476347,16299063283248063821,131072 /prefetch:8
2⤵
PID:5928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=2032,i,905704900510476347,16299063283248063821,131072 /prefetch:8
2⤵
PID:5924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=2032,i,905704900510476347,16299063283248063821,131072 /prefetch:1
2⤵
PID:3116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=2032,i,905704900510476347,16299063283248063821,131072 /prefetch:1
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=2032,i,905704900510476347,16299063283248063821,131072 /prefetch:1
2⤵
PID:5548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=2032,i,905704900510476347,16299063283248063821,131072 /prefetch:8
2⤵
PID:5600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3852 --field-trial-handle=2032,i,905704900510476347,16299063283248063821,131072 /prefetch:8
2⤵
PID:5972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=2032,i,905704900510476347,16299063283248063821,131072 /prefetch:8
2⤵
PID:5964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=2032,i,905704900510476347,16299063283248063821,131072 /prefetch:8
2⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=2032,i,905704900510476347,16299063283248063821,131072 /prefetch:8
2⤵
PID:5688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=2032,i,905704900510476347,16299063283248063821,131072 /prefetch:8
2⤵
PID:5708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=2032,i,905704900510476347,16299063283248063821,131072 /prefetch:8
2⤵
PID:5748

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
606c5fbb1eeefa482b3bd64f39e3cb18

SHA1
879bca3d5f64b4bcd4893c40b29691060fa8f6e5

SHA256
a7e3924f9d5b5bd675b94e1b8e2ea37b0a2bda6356f12d7b079533455cd6737c

SHA512
5c430ccbb01a4a9d45664a10b58815f3e4457c399c425f4f0f160973b900c8362810431436338205f74001c3a37ce938bb36a4c2cb849c07679b653a2e8dabae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
c8ac0a1d82d5504910962c1db0ccf0c5

SHA1
3ea1905b6b2acc38596cdcd805bc6d0dc703ab3b

SHA256
0d4e8251805fba3d358f7fd455b58b3ee664ac3d6041be5611e9f78761bb6a9b

SHA512
0e18a1ce29b47b3dc845ff6cc372da10e4ad6ee4aac87c49bf9c57d5acdd526d5a5d5ed2795209de717750dac77170445b35352fbfb5bb125f7be8923bc5fa01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
67ca8b4411ecc9fde2747ec502f5f39c

SHA1
7544792d9a59fbf37791090b57f3dc0df2693cb3

SHA256
69a1a0cc1b951eae9b3144f10dba614dcfdb394d203a0659bc5a720c11f162e7

SHA512
c67d120a427ea8feff8873c3c06645d7cf0e7a6c9ff88682be6cf3968e0b1840c3edfcee3fb943f5e26bce016dd071d411121cc7fecea0c9f166846d34b01b39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
3f230b755fd84d47a3f0c621f6c949b7

SHA1
de86e5beff94e7529a1825674cd39e20a091479d

SHA256
9e6f70d50e97783469c0b4e97b9f3270d397bbdef899a431bd0ebad826e5e6c2

SHA512
16e8f1d4cf6d3a49d422a6b2b857cb40184733da99ea8cbfddd53ec2c39e9e06945af8ca236dbb2c2fe2171a479cbb127249b64bad7e4ca4a418d7f2752e6104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
a392fae35ba1a7d7576953cb3e9a0d88

SHA1
fc329d801cd9a5723eb73144eb20a1e02a444f07

SHA256
1a8f266bae820bd6e5618bf7dd531bb194c3a9265650f0cf93ad5b73c262403a

SHA512
c38ea39203f461ef938fc0f90168a5b35698eedad60de8b02bae198e82277eb94c6797c475a4d7be8aae2473932bb7a96e1f07ea80d7e5a87105ed5e99797d11

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\activity-stream.discovery_stream.json.tmp
Filesize
30KB

MD5
49ff36b415d73b72614122a64e1db04b

SHA1
ac3a557f8999c8131c0f3c9a4b07179533708d47

SHA256
0713d80aeb60087dd587587cae66acb4810d647a17c2c24f0e5c727cb8e82043

SHA512
712fe4a863e0b77790e5b5d0faf48195710e1cd4edb41aed37d7dd124f4550d9a9bd5152bfe0cfe6a943b8cfe35a5710f83db46f572da7ffbf8677e615ac5b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\urjHh4b7knaJ.exe
Filesize
277KB

MD5
dac0c5b2380cbdd93b46763427c9f8df

SHA1
038089e1a0ac8375be797fc3ce7ae719abc72834

SHA256
d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

SHA512
05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs-1.js
Filesize
6KB

MD5
cffe05cd1cdc244e7da37ae08ff4fdb4

SHA1
0d1838bf5c38e17ed79c4be5c059df016ddb4b9a

SHA256
a031ef37d0d32067080a6b408261574949fae2c544cc2898feff519db4a0cbef

SHA512
6faf195e7ee76a16200bfb4f72e504c166734edb972501c8f0b33e0a87a7fb6abdef8014ceec6ced5fe2c700cd49db438a6288bab751f97556784a51821435a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs.js
Filesize
6KB

MD5
54419206b2aa60d427576445a38f010a

SHA1
d25bdd4c9e23f2bfd7768b0e0753d6c8ebc0b73c

SHA256
501b9d2ed5ae602bcae5b176f0dc7e4b9c7e6a6a60a44316f56f9a755c39d688

SHA512
dcdd4ea75996c8b6987f217ea9a62c628e87baadecd85df45ffd8fb9d924021acb5298edec68bd3145626f7c6531be61fc74ec8668edda154265abc5c7065374

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionCheckpoints.json
Filesize
228B

MD5
66bdbb6de2094027600e5df8fbbf28f4

SHA1
ce033f719ebce89ac8e5c6f0c9fed58c52eca985

SHA256
df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc

SHA512
18782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore.jsonlz4
Filesize
923B

MD5
d21570e3962bab5a7f20d4b7713141a5

SHA1
b301e26e48853056cb54f67bed94a63cacb1e65d

SHA256
c5d62c1f7fea9621d4ba402a1eb71e35e806a841f5def8312212e115a718d627

SHA512
6e6b6bbe44d2d0ceaf6d4502718b5c7ee7d87b9bd4bd215cbb120427b0c010ffcb08f7c3b7e749379bb41e9cd22f399128b6da2b51a29862ebc2736f1e082d9b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
\??\pipe\crashpad_1288_MMXXQFEVOWQPHAZS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2744-13-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2744-20-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2744-19-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2744-864-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2744-17-0x0000000006C70000-0x0000000006C7A000-memory.dmp

Filesize
40KB

Download
memory/2744-12-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2744-18-0x0000000006630000-0x000000000666C000-memory.dmp

Filesize
240KB

Download
memory/2864-168-0x00007FF8D7100000-0x00007FF8D7111000-memory.dmp

Filesize
68KB

Download
memory/2864-171-0x0000022FD9570000-0x0000022FDADDF000-memory.dmp

Filesize
24.4MB

Download
memory/2864-170-0x00007FF8D70C0000-0x00007FF8D70DB000-memory.dmp

Filesize
108KB

Download
memory/2864-163-0x00007FF8D7160000-0x00007FF8D736B000-memory.dmp

Filesize
2.0MB

Download
memory/2864-169-0x00007FF8D70E0000-0x00007FF8D70F1000-memory.dmp

Filesize
68KB

Download
memory/2864-155-0x00007FF8D7560000-0x00007FF8D7816000-memory.dmp

Filesize
2.7MB

Download
memory/2864-167-0x00007FF8D7120000-0x00007FF8D7131000-memory.dmp

Filesize
68KB

Download
memory/2864-166-0x00007FF8D7140000-0x00007FF8D7158000-memory.dmp

Filesize
96KB

Download
memory/2864-165-0x00007FF8D7F00000-0x00007FF8D7F21000-memory.dmp

Filesize
132KB

Download
memory/2864-162-0x00007FF8D8810000-0x00007FF8D8821000-memory.dmp

Filesize
68KB

Download
memory/2864-164-0x00007FF8D7F30000-0x00007FF8D7F71000-memory.dmp

Filesize
260KB

Download
memory/2864-160-0x00007FF8E6260000-0x00007FF8E6271000-memory.dmp

Filesize
68KB

Download
memory/2864-159-0x00007FF8E6BD0000-0x00007FF8E6BE7000-memory.dmp

Filesize
92KB

Download
memory/2864-158-0x00007FF8E7260000-0x00007FF8E7271000-memory.dmp

Filesize
68KB

Download
memory/2864-157-0x00007FF8E74B0000-0x00007FF8E74C7000-memory.dmp

Filesize
92KB

Download
memory/2864-156-0x00007FF8E7830000-0x00007FF8E7848000-memory.dmp

Filesize
96KB

Download
memory/2864-153-0x00007FF6D1880000-0x00007FF6D1978000-memory.dmp

Filesize
992KB

Download
memory/2864-161-0x00007FF8D8F40000-0x00007FF8D8F5D000-memory.dmp

Filesize
116KB

Download
memory/2864-154-0x00007FF8E7280000-0x00007FF8E72B4000-memory.dmp

Filesize
208KB

Download
memory/4436-6-0x0000000005520000-0x0000000005532000-memory.dmp

Filesize
72KB

Download
memory/4436-15-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/4436-0-0x000000007531E000-0x000000007531F000-memory.dmp

Filesize
4KB

Download
memory/4436-1-0x0000000000A70000-0x0000000000ADC000-memory.dmp

Filesize
432KB

Download
memory/4436-2-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download
memory/4436-3-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/4436-4-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/4436-5-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/6080-192-0x00007FF8B62F0000-0x00007FF8B6300000-memory.dmp

Filesize
64KB

Download
memory/6080-191-0x00007FF8B62F0000-0x00007FF8B6300000-memory.dmp

Filesize
64KB

Download
memory/6080-197-0x00007FF8B4050000-0x00007FF8B4060000-memory.dmp

Filesize
64KB

Download
memory/6080-196-0x00007FF8B4050000-0x00007FF8B4060000-memory.dmp

Filesize
64KB

Download
memory/6080-193-0x00007FF8B62F0000-0x00007FF8B6300000-memory.dmp

Filesize
64KB

Download
memory/6080-195-0x00007FF8B62F0000-0x00007FF8B6300000-memory.dmp

Filesize
64KB

Download
memory/6080-194-0x00007FF8B62F0000-0x00007FF8B6300000-memory.dmp

Filesize
64KB

Download