quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
299s
max time network
312s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (100) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral12/memory/1908-1-0x0000000000F30000-0x0000000000F9C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
4004	Client.exe
352	Client.exe
3400	Client.exe
1760	Client.exe
4416	Client.exe
3356	Client.exe
4804	Client.exe
4836	Client.exe
992	Client.exe
2948	Client.exe
924	Client.exe
4388	Client.exe
4452	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
36	ip-api.com
18	ip-api.com
20	ip-api.com
45	ip-api.com
47	ip-api.com
3	ip-api.com
40	ip-api.com
32	ip-api.com
34	ip-api.com
38	ip-api.com
43	ip-api.com
12	api.ipify.org
16	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2948	4004	WerFault.exe	Client.exe
636	352	WerFault.exe	Client.exe
2944	3400	WerFault.exe	Client.exe
4664	1760	WerFault.exe	Client.exe
3016	4416	WerFault.exe	Client.exe
4756	3356	WerFault.exe	Client.exe
924	4804	WerFault.exe	Client.exe
4688	4836	WerFault.exe	Client.exe
1800	992	WerFault.exe	Client.exe
3920	2948	WerFault.exe	Client.exe
436	924	WerFault.exe	Client.exe
5092	4388	WerFault.exe	Client.exe
4868	4452	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
728	schtasks.exe
4288	schtasks.exe
2116	schtasks.exe
3144	schtasks.exe
2268	SCHTASKS.exe
4476	schtasks.exe
4300	schtasks.exe
4156	schtasks.exe
4672	schtasks.exe
3036	schtasks.exe
1068	schtasks.exe
5068	schtasks.exe
4776	schtasks.exe
4548	schtasks.exe
1220	schtasks.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
5092	PING.EXE
4800	PING.EXE
1724	PING.EXE
2036	PING.EXE
4800	PING.EXE
1308	PING.EXE
3068	PING.EXE
1548	PING.EXE
3684	PING.EXE
4736	PING.EXE
3932	PING.EXE
4452	PING.EXE
2476	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

Uni - Copy (100) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1908	Uni - Copy (100) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	4004	Client.exe
Token: SeDebugPrivilege	352	Client.exe
Token: SeDebugPrivilege	3400	Client.exe
Token: SeDebugPrivilege	1760	Client.exe
Token: SeDebugPrivilege	4416	Client.exe
Token: SeDebugPrivilege	3356	Client.exe
Token: SeDebugPrivilege	4804	Client.exe
Token: SeDebugPrivilege	4836	Client.exe
Token: SeDebugPrivilege	992	Client.exe
Token: SeDebugPrivilege	2948	Client.exe
Token: SeDebugPrivilege	924	Client.exe
Token: SeDebugPrivilege	4388	Client.exe
Token: SeDebugPrivilege	4452	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
4004	Client.exe
352	Client.exe
3400	Client.exe
1760	Client.exe
4416	Client.exe
3356	Client.exe
4804	Client.exe
4836	Client.exe
992	Client.exe
2948	Client.exe
924	Client.exe
4388	Client.exe
4452	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (100) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1908 wrote to memory of 4776	1908	Uni - Copy (100) - Copy - Copy - Copy.exe	schtasks.exe
PID 1908 wrote to memory of 4776	1908	Uni - Copy (100) - Copy - Copy - Copy.exe	schtasks.exe
PID 1908 wrote to memory of 4776	1908	Uni - Copy (100) - Copy - Copy - Copy.exe	schtasks.exe
PID 1908 wrote to memory of 4004	1908	Uni - Copy (100) - Copy - Copy - Copy.exe	Client.exe
PID 1908 wrote to memory of 4004	1908	Uni - Copy (100) - Copy - Copy - Copy.exe	Client.exe
PID 1908 wrote to memory of 4004	1908	Uni - Copy (100) - Copy - Copy - Copy.exe	Client.exe
PID 1908 wrote to memory of 2268	1908	Uni - Copy (100) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1908 wrote to memory of 2268	1908	Uni - Copy (100) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1908 wrote to memory of 2268	1908	Uni - Copy (100) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4004 wrote to memory of 4476	4004	Client.exe	schtasks.exe
PID 4004 wrote to memory of 4476	4004	Client.exe	schtasks.exe
PID 4004 wrote to memory of 4476	4004	Client.exe	schtasks.exe
PID 4004 wrote to memory of 888	4004	Client.exe	cmd.exe
PID 4004 wrote to memory of 888	4004	Client.exe	cmd.exe
PID 4004 wrote to memory of 888	4004	Client.exe	cmd.exe
PID 888 wrote to memory of 1468	888	cmd.exe	chcp.com
PID 888 wrote to memory of 1468	888	cmd.exe	chcp.com
PID 888 wrote to memory of 1468	888	cmd.exe	chcp.com
PID 888 wrote to memory of 3684	888	cmd.exe	PING.EXE
PID 888 wrote to memory of 3684	888	cmd.exe	PING.EXE
PID 888 wrote to memory of 3684	888	cmd.exe	PING.EXE
PID 888 wrote to memory of 352	888	cmd.exe	Client.exe
PID 888 wrote to memory of 352	888	cmd.exe	Client.exe
PID 888 wrote to memory of 352	888	cmd.exe	Client.exe
PID 352 wrote to memory of 4300	352	Client.exe	schtasks.exe
PID 352 wrote to memory of 4300	352	Client.exe	schtasks.exe
PID 352 wrote to memory of 4300	352	Client.exe	schtasks.exe
PID 352 wrote to memory of 4296	352	Client.exe	cmd.exe
PID 352 wrote to memory of 4296	352	Client.exe	cmd.exe
PID 352 wrote to memory of 4296	352	Client.exe	cmd.exe
PID 4296 wrote to memory of 4304	4296	cmd.exe	chcp.com
PID 4296 wrote to memory of 4304	4296	cmd.exe	chcp.com
PID 4296 wrote to memory of 4304	4296	cmd.exe	chcp.com
PID 4296 wrote to memory of 4736	4296	cmd.exe	PING.EXE
PID 4296 wrote to memory of 4736	4296	cmd.exe	PING.EXE
PID 4296 wrote to memory of 4736	4296	cmd.exe	PING.EXE
PID 4296 wrote to memory of 3400	4296	cmd.exe	Client.exe
PID 4296 wrote to memory of 3400	4296	cmd.exe	Client.exe
PID 4296 wrote to memory of 3400	4296	cmd.exe	Client.exe
PID 3400 wrote to memory of 728	3400	Client.exe	schtasks.exe
PID 3400 wrote to memory of 728	3400	Client.exe	schtasks.exe
PID 3400 wrote to memory of 728	3400	Client.exe	schtasks.exe
PID 3400 wrote to memory of 4112	3400	Client.exe	cmd.exe
PID 3400 wrote to memory of 4112	3400	Client.exe	cmd.exe
PID 3400 wrote to memory of 4112	3400	Client.exe	cmd.exe
PID 4112 wrote to memory of 3648	4112	cmd.exe	chcp.com
PID 4112 wrote to memory of 3648	4112	cmd.exe	chcp.com
PID 4112 wrote to memory of 3648	4112	cmd.exe	chcp.com
PID 4112 wrote to memory of 1724	4112	cmd.exe	PING.EXE
PID 4112 wrote to memory of 1724	4112	cmd.exe	PING.EXE
PID 4112 wrote to memory of 1724	4112	cmd.exe	PING.EXE
PID 4112 wrote to memory of 1760	4112	cmd.exe	Client.exe
PID 4112 wrote to memory of 1760	4112	cmd.exe	Client.exe
PID 4112 wrote to memory of 1760	4112	cmd.exe	Client.exe
PID 1760 wrote to memory of 4156	1760	Client.exe	schtasks.exe
PID 1760 wrote to memory of 4156	1760	Client.exe	schtasks.exe
PID 1760 wrote to memory of 4156	1760	Client.exe	schtasks.exe
PID 1760 wrote to memory of 4400	1760	Client.exe	cmd.exe
PID 1760 wrote to memory of 4400	1760	Client.exe	cmd.exe
PID 1760 wrote to memory of 4400	1760	Client.exe	cmd.exe
PID 4400 wrote to memory of 3156	4400	cmd.exe	chcp.com
PID 4400 wrote to memory of 3156	4400	cmd.exe	chcp.com
PID 4400 wrote to memory of 3156	4400	cmd.exe	chcp.com
PID 4400 wrote to memory of 3932	4400	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4776

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bzGuWdxMpK1G.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1468

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3684

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:352

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4KnJVB66oZDx.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4304

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4736

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3V6WoGVrXDz0.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:3648

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1724

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gj9Z1zcjBDda.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3156

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:3932

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g7bk60xv5Xnw.bat" "
11⤵
PID:5088

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1448

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4452

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3356

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C01Tkx4VCdX7.bat" "
13⤵
PID:5048

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:1780

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2036

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWx0bnSZSCEZ.bat" "
15⤵
PID:756

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:4956

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2476

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y1tXTercilu2.bat" "
17⤵
PID:3032

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3188

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:5092

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:992

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\chAILg2mdBHu.bat" "
19⤵
PID:628

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:3884

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4800

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsTVelQYMq4x.bat" "
21⤵
PID:2400

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:1528

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1308

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:924

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m9RLwwisuvgD.bat" "
23⤵
PID:4348

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4812

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3068

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1REt2rAVyp0M.bat" "
25⤵
PID:1876

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:208

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1548

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4452

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYnbSkEVHa7q.bat" "
27⤵
PID:5100

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:1768

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1096
27⤵
- Program crash
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1672
25⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1668
23⤵
- Program crash
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 2168
21⤵
- Program crash
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 2224
19⤵
- Program crash
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1192
17⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1672
15⤵
- Program crash
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1672
13⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1712
11⤵
- Program crash
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1092
9⤵
- Program crash
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1672
7⤵
- Program crash
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 2176
5⤵
- Program crash
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1908
3⤵
- Program crash
PID:2948

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4004 -ip 4004
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 352 -ip 352
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3400 -ip 3400
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1760 -ip 1760
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4416 -ip 4416
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3356 -ip 3356
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4804 -ip 4804
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4836 -ip 4836
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 992 -ip 992
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2948 -ip 2948
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 924 -ip 924
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4388 -ip 4388
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4452 -ip 4452
1⤵
PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1REt2rAVyp0M.bat
Filesize
207B

MD5
8689423258c1fdaefc33ba02359b93a0

SHA1
4da860f5d150c29f2d2f94b424fdbb4fccb5921d

SHA256
bad817a184174731d09eff314c41811c9a8799b6713aba86d29f4744c0955f2c

SHA512
1af414b17c95be94f44f96741780194ff46fdc9eeeabffe8dc7b58e62462dab9e265cfe58fb52ad2bee1ef53f9f0b7c4fb754e855aba9a0f93306731e110810e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3V6WoGVrXDz0.bat
Filesize
207B

MD5
9aa3ad11adc726c026f328900997f6a8

SHA1
8abb6ec44d318ee271232bb955c01029f0f9d9bd

SHA256
8a0647a07dd6a40e22047cb19a821c7129aec139ce332a73b0ddd6d54d73ad02

SHA512
2d72cffe72d54eadd864727713d857c010c2aecbc22e5a30ebbf859dd1d698b6fbc112054246376c016c05f380e7cd0c9d950e5484d1f62c9c538d68729d0686

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KnJVB66oZDx.bat
Filesize
207B

MD5
1490f2166b5e3ab3cf8bc7327298114f

SHA1
5718a88ce9c318f18dc9d1afdd21cddcfd252145

SHA256
0a7bfcc1b7f5e2d4c9d771f25096241129027d0f1b5195ac796d388fe9f57d4e

SHA512
1d9cee1e127731d93f35b6486b0a62f8f007761fba5d2ee8a57b0e410b5b6b662179c3bdbe0173f2688a7c74f630b45c1e37abc731adf269274145f90187f93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C01Tkx4VCdX7.bat
Filesize
207B

MD5
3422cbc61f1c6e5f2aab425491625c09

SHA1
ceb44daf145ef19c8945ff4db3101c9a452b8dd1

SHA256
81a4b1166828510e5d404b513112fd2ba3051308c4d5225d5ee0c501220ffeab

SHA512
5c06c06ab03b02da99d1131a0a4b69bbb07f590ef7a27c75dc8023df0ef9beb48cf16f902284c52fd9ab8b44fbfded4060e82c0deef9554ad76b5800b2171b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gj9Z1zcjBDda.bat
Filesize
207B

MD5
a78b01fc625259915df5652f00b2b1e5

SHA1
0b8cfe7d80f785bb501c44126640133d27ba3ee5

SHA256
dc067c90cb908b61a4e85d5d8d694bf6123b30ab9942a91c43d96de92f465554

SHA512
4c2531ed986068c187398cad4513f486b605a76d5c2bdca8eb49e3728cde03e9d7cec57e51d3700ceab1b6c74f154486dd88dc0b72c48720f7362cf542e1313d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y1tXTercilu2.bat
Filesize
207B

MD5
91a5b76d8f949a30209f13cfdf1e890d

SHA1
9dd75f65092716e989cfcd32623d6da2c8609e8a

SHA256
58334d4fc3f404ca5eee36fb29b3c4692426e67ee7d6c29435495d6429c0205d

SHA512
83f727c9f5585de5176d4224713773bdfbefab146ecc151df89e06566e4eb774332c58b9f646791878c18505ae96d0ee610861b0cf2718750400e6aeebe33b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsTVelQYMq4x.bat
Filesize
207B

MD5
ac4dcafcdff29804786b8becdf5b0c8f

SHA1
be6970fe1894ba6dfe3b2020829c084e82ecb78f

SHA256
be95710e0c409c8ba17aa2823fcca8ea17addf111df1049a6bd6be1f401ac761

SHA512
e2c2f3d86d12db97b04525709f20059b6f9644de558caff9c74b45d63a98353aa24beba927acb7fe92fb1735973a3b21fc48dcd76ad53e5c51bd16ba1235620f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzGuWdxMpK1G.bat
Filesize
207B

MD5
138731d6f05c2a07d0be4c96f982b684

SHA1
de5b01983a4c7c41f670bd31e33561c6743e1236

SHA256
7765c234cca769af840804b7e2072e85bfe95151a7db84a787f9e0bf148f9ba6

SHA512
7e685513d1d29a917ae4c0a1fb28418b99b71ab39a0ee2cfb5b11f79ab7d535afe96e016309bb86e486648088a016adf2324e6804c29f427ba4bc221f7d27b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\chAILg2mdBHu.bat
Filesize
207B

MD5
a2e1f0ee70cafc7ae1d732b6b5671280

SHA1
113c51145a6592aa878c659722cb31a66489a741

SHA256
dc4d5a009372f1bf5f0459dc6046aed39ebd88d39e2a2c9eed039c1386be41a0

SHA512
cb0561af55a479bfbdc14e7eb8f1d8f33b6fda9b8578eecc3f68ca1de3b088a6039d88d5f813a26a5a99d77123937265564515aae8daeb7a2351c5cc6b8df020

Download Submit
C:\Users\Admin\AppData\Local\Temp\g7bk60xv5Xnw.bat
Filesize
207B

MD5
048b689812ddde278bd396dbea6f26e9

SHA1
27a30b5e27f8cfe8924106ef1c9522815509a8bb

SHA256
a11c8bfe57f80ab84b22b46d5c334d87436fbc1c7f30a8cf4ec1bf71b87bb92a

SHA512
20cc39d5f9783677c4c9838fe97a43308b95c68d71d4cb8dda2ef697f7fe08abf48395872fd794e0805964bdede03726433626a7accc7fc5b24921c7ba557eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\m9RLwwisuvgD.bat
Filesize
207B

MD5
2109a8f8f9a79afd7fa4edca3fd61fd5

SHA1
c397daa968116b543e7e337308b56f931d4d14ba

SHA256
99c977d8820c26f54561f47079e492b0a98b702f53f32c944a1ece6761cedeb9

SHA512
d2d24e49910f22df3f9be273ec5404138dccb267b258c5ceb635d83db643bd1454de1cbecba811c0a614d00d27d74112924422f14e34a8dcb8201b7ef30ba94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWx0bnSZSCEZ.bat
Filesize
207B

MD5
56f5230e24857f0e9d9dba3fce07bec3

SHA1
23a9ab1ec63df359a5aaf4d0dd59a46227bab60f

SHA256
02ff2c00fe864c1f19abdbb446cfdb26df55dae9ca3b5b3e59009cf3bd528eb5

SHA512
395fc9758329d9ed9153c32d11e098d6e68f80dad72e37baf572cb4481be44a83385834d52de2d0b9f9265f6ce518e1b53f2e2bb13974e8ef13a95901812cba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYnbSkEVHa7q.bat
Filesize
207B

MD5
6459483d47bcf0167a73e98f46719c3a

SHA1
40b46a9b5844d26e52bb83dd5675fed1da71bd77

SHA256
31b56fdca94cbcb0a476c17e0851596bc2f5635433192540206cd6e1e2312ddc

SHA512
95b55250ade7c7e16780a65671a8b60bd9bcf350b1a57885915367c5320ea96707ab8750a5a4651f728aa51926344006f5a7f8605e8076a5d2d68172a65b4dfb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
965acf0176279e54ad9cea48e7587efb

SHA1
5a881d6a1889e4852d5a001e8a41e15d4ded31c3

SHA256
0e18562fadf816eb1ce0e5af58354dfffd20c166b1bc8a836631ffaf63143228

SHA512
e57b98280e024216e90c9f93c3e3815b929e8fcfebd64eac6ffb8323f5c8af0758fad3d2ecc0f9c862ea1278d47e5e776d691854901cbca9fa180c0ea1659867

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
336619f69de66af6f4df2f6079f52d2b

SHA1
86839e19bcbbd3c5117bc88b42a4d7133fce6bf8

SHA256
e69a8a48eee6192329de9febabf4767be4d7a963e69f3fc64fbd62395689baae

SHA512
ae592bae33506ace4b4241ccf250ee66425e91b91bde692e977ceb757fbc73627038ba07f3815f24d843a1f30941135370dce97ea229875522daa98a324f576b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
afe4195670534300fcd39f1d9c36a205

SHA1
5af6493240eeb7e07f5dc871167e87be3a418603

SHA256
09a9af381b8eb3a239244d73b60c38878f051741730c2e94edd4eeabadd28b21

SHA512
a0eb624fe91bab12a46997ea736a8af9ab0f3bc4c9b72b3cb5ded3f7d7e371976d17dc04b662bad78d71858a971304822a3b9ee086769e9aeb79cbec046d3d1f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
1a05ff087f2a4b7c85537c7b7d0fd8fe

SHA1
a14d140697f61de31b0de25899734fbecd65f1b5

SHA256
093c45b33d83a972a23e36e099ff2478c5aa1bc554d4815ad7c6f7d56f0cd610

SHA512
e0d0aae28a4d7ed9dec789adc03c47c3346d373bd62631c61697bda15bc273a3d362b02e0586200fa4a5848afc59c7e7f2aea189e6857b2a25cbbabcf242c1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
e75dfb846af939d47fef92919b8eb561

SHA1
8f89b0923f5bbb74fa5caad3b30fc8e800db0075

SHA256
7385006d16ace02795d91c1e9f9c28a1a1975e68c51567044e3bd4b7140c15f2

SHA512
42053c3a5e6ee149da5b808dc695e909d76a8c6c21da170774591a0436a0adb2c2a31ac19bff85f328b80a894629cc9f81910eca1ca1a10b48dcc7ac764f68c3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
d9d8ec550a8a2d0af0c659dbbd652ab5

SHA1
9678ccb4bb27b049beb1e646f781ebedef734e67

SHA256
cb9d4c5cc0691d682360fbac78b62ff7f1a6d92a981218a64e775e0d47d9cd85

SHA512
d1ed7d4ea19338a2fcfbe8a5468102f371ed1f0e0fe0146d4290385703fc7430e70ab5744576258c9b7a0a81784661d77c9adf3d595ace329442e6625987c30a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
fa6e668697e31cf60939834a90e5d430

SHA1
ce1c8679bb23f4c06a80056a3fed0060e7390e75

SHA256
3c9ebbaec3a5cc6fdbe5fb0533cdde3770ff651b42f0aeaa5ebfd7542398022b

SHA512
79ef3bc3d53bef08fd1649986fbd2a3ffd19a97787f71460d0b462697cf6009b998990643d7b63f92e438cd922575733dfa5dcbf3b19f9407417f4c8c416cab3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1908-4-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/1908-3-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/1908-16-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/1908-8-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/1908-7-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

Filesize
4KB

Download
memory/1908-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

Filesize
4KB

Download
memory/1908-6-0x0000000005FC0000-0x0000000005FD2000-memory.dmp

Filesize
72KB

Download
memory/1908-1-0x0000000000F30000-0x0000000000F9C000-memory.dmp

Filesize
432KB

Download
memory/1908-5-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/1908-2-0x0000000005FE0000-0x0000000006584000-memory.dmp

Filesize
5.6MB

Download
memory/4004-17-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/4004-19-0x0000000006850000-0x000000000685A000-memory.dmp

Filesize
40KB

Download
memory/4004-24-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/4004-14-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download