quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
296s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (104) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral30/memory/4988-1-0x0000000000EB0000-0x0000000000F1C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1192	Client.exe
3336	Client.exe
3836	Client.exe
448	Client.exe
2496	Client.exe
5004	Client.exe
3208	Client.exe
3988	Client.exe
4904	Client.exe
4768	Client.exe
892	Client.exe
4688	Client.exe
3736	Client.exe
1744	Client.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
13	ip-api.com
28	ip-api.com
30	ip-api.com
9	api.ipify.org
20	ip-api.com
26	ip-api.com
32	ip-api.com
18	ip-api.com
11	ip-api.com
34	ip-api.com
2	ip-api.com
22	ip-api.com
24	ip-api.com
16	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
764	1192	WerFault.exe	Client.exe
3172	3336	WerFault.exe	Client.exe
4036	3836	WerFault.exe	Client.exe
4632	448	WerFault.exe	Client.exe
4548	2496	WerFault.exe	Client.exe
1472	5004	WerFault.exe	Client.exe
2020	3208	WerFault.exe	Client.exe
4884	3988	WerFault.exe	Client.exe
1976	4904	WerFault.exe	Client.exe
4932	4768	WerFault.exe	Client.exe
3504	892	WerFault.exe	Client.exe
2848	4688	WerFault.exe	Client.exe
764	3736	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2116	schtasks.exe
2716	SCHTASKS.exe
4512	schtasks.exe
1120	schtasks.exe
4472	schtasks.exe
5088	schtasks.exe
4764	schtasks.exe
3988	schtasks.exe
1500	schtasks.exe
692	schtasks.exe
1672	schtasks.exe
2848	schtasks.exe
4624	schtasks.exe
4740	schtasks.exe
3336	schtasks.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1472	PING.EXE
1996	PING.EXE
3444	PING.EXE
4312	PING.EXE
3052	PING.EXE
4904	PING.EXE
1612	PING.EXE
3836	PING.EXE
1320	PING.EXE
2892	PING.EXE
1920	PING.EXE
4848	PING.EXE
2628	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

Uni - Copy (104) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4988	Uni - Copy (104) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	1192	Client.exe
Token: SeDebugPrivilege	3336	Client.exe
Token: SeDebugPrivilege	3836	Client.exe
Token: SeDebugPrivilege	448	Client.exe
Token: SeDebugPrivilege	2496	Client.exe
Token: SeDebugPrivilege	5004	Client.exe
Token: SeDebugPrivilege	3208	Client.exe
Token: SeDebugPrivilege	3988	Client.exe
Token: SeDebugPrivilege	4904	Client.exe
Token: SeDebugPrivilege	4768	Client.exe
Token: SeDebugPrivilege	892	Client.exe
Token: SeDebugPrivilege	4688	Client.exe
Token: SeDebugPrivilege	3736	Client.exe
Token: SeDebugPrivilege	1744	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1192	Client.exe
3336	Client.exe
3836	Client.exe
448	Client.exe
2496	Client.exe
5004	Client.exe
3208	Client.exe
3988	Client.exe
4904	Client.exe
4768	Client.exe
892	Client.exe
4688	Client.exe
3736	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (104) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4988 wrote to memory of 2116	4988	Uni - Copy (104) - Copy - Copy - Copy.exe	schtasks.exe
PID 4988 wrote to memory of 2116	4988	Uni - Copy (104) - Copy - Copy - Copy.exe	schtasks.exe
PID 4988 wrote to memory of 2116	4988	Uni - Copy (104) - Copy - Copy - Copy.exe	schtasks.exe
PID 4988 wrote to memory of 1192	4988	Uni - Copy (104) - Copy - Copy - Copy.exe	Client.exe
PID 4988 wrote to memory of 1192	4988	Uni - Copy (104) - Copy - Copy - Copy.exe	Client.exe
PID 4988 wrote to memory of 1192	4988	Uni - Copy (104) - Copy - Copy - Copy.exe	Client.exe
PID 4988 wrote to memory of 2716	4988	Uni - Copy (104) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4988 wrote to memory of 2716	4988	Uni - Copy (104) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4988 wrote to memory of 2716	4988	Uni - Copy (104) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1192 wrote to memory of 4472	1192	Client.exe	schtasks.exe
PID 1192 wrote to memory of 4472	1192	Client.exe	schtasks.exe
PID 1192 wrote to memory of 4472	1192	Client.exe	schtasks.exe
PID 1192 wrote to memory of 1176	1192	Client.exe	cmd.exe
PID 1192 wrote to memory of 1176	1192	Client.exe	cmd.exe
PID 1192 wrote to memory of 1176	1192	Client.exe	cmd.exe
PID 1176 wrote to memory of 1052	1176	cmd.exe	chcp.com
PID 1176 wrote to memory of 1052	1176	cmd.exe	chcp.com
PID 1176 wrote to memory of 1052	1176	cmd.exe	chcp.com
PID 1176 wrote to memory of 1320	1176	cmd.exe	PING.EXE
PID 1176 wrote to memory of 1320	1176	cmd.exe	PING.EXE
PID 1176 wrote to memory of 1320	1176	cmd.exe	PING.EXE
PID 1176 wrote to memory of 3336	1176	cmd.exe	Client.exe
PID 1176 wrote to memory of 3336	1176	cmd.exe	Client.exe
PID 1176 wrote to memory of 3336	1176	cmd.exe	Client.exe
PID 3336 wrote to memory of 5088	3336	Client.exe	schtasks.exe
PID 3336 wrote to memory of 5088	3336	Client.exe	schtasks.exe
PID 3336 wrote to memory of 5088	3336	Client.exe	schtasks.exe
PID 3336 wrote to memory of 5072	3336	Client.exe	cmd.exe
PID 3336 wrote to memory of 5072	3336	Client.exe	cmd.exe
PID 3336 wrote to memory of 5072	3336	Client.exe	cmd.exe
PID 5072 wrote to memory of 1504	5072	cmd.exe	chcp.com
PID 5072 wrote to memory of 1504	5072	cmd.exe	chcp.com
PID 5072 wrote to memory of 1504	5072	cmd.exe	chcp.com
PID 5072 wrote to memory of 1472	5072	cmd.exe	PING.EXE
PID 5072 wrote to memory of 1472	5072	cmd.exe	PING.EXE
PID 5072 wrote to memory of 1472	5072	cmd.exe	PING.EXE
PID 5072 wrote to memory of 3836	5072	cmd.exe	Client.exe
PID 5072 wrote to memory of 3836	5072	cmd.exe	Client.exe
PID 5072 wrote to memory of 3836	5072	cmd.exe	Client.exe
PID 3836 wrote to memory of 1672	3836	Client.exe	schtasks.exe
PID 3836 wrote to memory of 1672	3836	Client.exe	schtasks.exe
PID 3836 wrote to memory of 1672	3836	Client.exe	schtasks.exe
PID 3836 wrote to memory of 4488	3836	Client.exe	cmd.exe
PID 3836 wrote to memory of 4488	3836	Client.exe	cmd.exe
PID 3836 wrote to memory of 4488	3836	Client.exe	cmd.exe
PID 4488 wrote to memory of 1108	4488	cmd.exe	chcp.com
PID 4488 wrote to memory of 1108	4488	cmd.exe	chcp.com
PID 4488 wrote to memory of 1108	4488	cmd.exe	chcp.com
PID 4488 wrote to memory of 3052	4488	cmd.exe	PING.EXE
PID 4488 wrote to memory of 3052	4488	cmd.exe	PING.EXE
PID 4488 wrote to memory of 3052	4488	cmd.exe	PING.EXE
PID 4488 wrote to memory of 448	4488	cmd.exe	Client.exe
PID 4488 wrote to memory of 448	4488	cmd.exe	Client.exe
PID 4488 wrote to memory of 448	4488	cmd.exe	Client.exe
PID 448 wrote to memory of 2848	448	Client.exe	schtasks.exe
PID 448 wrote to memory of 2848	448	Client.exe	schtasks.exe
PID 448 wrote to memory of 2848	448	Client.exe	schtasks.exe
PID 448 wrote to memory of 2964	448	Client.exe	cmd.exe
PID 448 wrote to memory of 2964	448	Client.exe	cmd.exe
PID 448 wrote to memory of 2964	448	Client.exe	cmd.exe
PID 2964 wrote to memory of 4748	2964	cmd.exe	chcp.com
PID 2964 wrote to memory of 4748	2964	cmd.exe	chcp.com
PID 2964 wrote to memory of 4748	2964	cmd.exe	chcp.com
PID 2964 wrote to memory of 4904	2964	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2116

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hfswdr8lintl.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1052

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1320

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ShXBnNwdbjnG.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:1504

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1472

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cLhuMg5f8stM.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1108

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3052

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t8dHDo9Nuj5R.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4748

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4904

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2496

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GxC8eQXjhChJ.bat" "
11⤵
PID:2256

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:2968

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1996

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1y6D4DhB9Wya.bat" "
13⤵
PID:3176

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4996

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2892

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3208

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUqTjoFYvtMx.bat" "
15⤵
PID:3924

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:1676

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3444

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3988

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DNSTa1DoWBOD.bat" "
17⤵
PID:4592

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3620

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4848

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3TungksLvD2y.bat" "
19⤵
PID:2212

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:680

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1612

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4768

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZNKXJizw2Jm9.bat" "
21⤵
PID:4468

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4824

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1920

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:892

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d4aIBjA6xj90.bat" "
23⤵
PID:4248

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:2908

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3836

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYi5GqOqhU8Z.bat" "
25⤵
PID:3308

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2004

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4312

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2BRHRUhaBlw0.bat" "
27⤵
PID:4592

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:2988

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2628

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1096
27⤵
- Program crash
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 2232
25⤵
- Program crash
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 1092
23⤵
- Program crash
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1672
21⤵
- Program crash
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 2224
19⤵
- Program crash
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1096
17⤵
- Program crash
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1660
15⤵
- Program crash
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1092
13⤵
- Program crash
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 2248
11⤵
- Program crash
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 1088
9⤵
- Program crash
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 2248
7⤵
- Program crash
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1652
5⤵
- Program crash
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 1644
3⤵
- Program crash
PID:764

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (104) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1192 -ip 1192
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3336 -ip 3336
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3836 -ip 3836
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 448 -ip 448
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2496 -ip 2496
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5004 -ip 5004
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3208 -ip 3208
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3988 -ip 3988
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4904 -ip 4904
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4768 -ip 4768
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 892 -ip 892
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4688 -ip 4688
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3736 -ip 3736
1⤵
PID:4084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1y6D4DhB9Wya.bat
Filesize
207B

MD5
ff729cd4b8471aef7c5de6b5ac383654

SHA1
21b7cc88b12156e71a51751b8bd3b350cbfd58c9

SHA256
341be5e8e589d6bcf786b2b924330100325adbff3c38aa5069f49953b736fa15

SHA512
2bd49449b4195737a112e15c1a580d1c8294ac7ae878f35ea117f4aaa520b2f5431f08b81aef8fb41389c880ba917279595c786f069f30d7520865d1d8e2ef7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BRHRUhaBlw0.bat
Filesize
207B

MD5
2544442d4630b2ac34b9e17b3cab0b1e

SHA1
8463cbfd865eefd13dc657f1e41a33b1ac8268c7

SHA256
5e4537c2efc1bac2f08785e292a0c9cb63c7ffa0f0786d6d26370392d5464cbc

SHA512
26114eefe7ac68faf502633f44d00e6f3d18a10aa27f07fe3d01009da1f5b553aaea0a5b8e597b7201805b8304587df74379d866852f2c076f2fb2986a0bd81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3TungksLvD2y.bat
Filesize
207B

MD5
ad048752146a3890564ad69b73c7eacb

SHA1
afef07c55e671cd38cb94bf46cd23d69c0ef7f5a

SHA256
aeaf3a30864721209eadd431efb339e16afa48bb44ed134d76466d4d655c9f6f

SHA512
d902a63d5f7a273aff8ca56e8547bec45ce2c77ff041f4bed849ef8a77bb0cae58aed062c68ba44f932403722a94412322617dbfd089e38fea4bec0c19bb4493

Download Submit
C:\Users\Admin\AppData\Local\Temp\DNSTa1DoWBOD.bat
Filesize
207B

MD5
3170597a48d980d8fadca5dca674a3e8

SHA1
cd68a5705fb7509efddcb481949d0a97c059b525

SHA256
445e38b58db04b493c5d1d7a037a7d9d49205e8b9d928c10647978bede7d43ec

SHA512
401695aa768def9417b8e162374a8ac96518fd2bb9f32bdaeb27c4d95db8e7c8fb94fbaf6c270c7992848414060ea340be649f80b6948db104fe232a80d88846

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYi5GqOqhU8Z.bat
Filesize
207B

MD5
8e5db6be7d372871a5846cffe8b892b0

SHA1
1630b3550bcd281e52c040a8359528572f195369

SHA256
290fac87c767f3c6b7c19b0e56faed831e0a06b9556da9f70e9aaae4ac05f8dc

SHA512
7e168c315ef6ba462aa6255a88fef7f8a435ecb8b65f2ba6e0fb792a6059913dc306c26a87f0ab7aa15a6255359e38a0c3914b4ebc9a5d8852d220a30a76d304

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxC8eQXjhChJ.bat
Filesize
207B

MD5
b15eeb769a63bc5840cbfdf92b0fbdba

SHA1
ac15cdf20dd40b28d14cd847935f2883981faf1e

SHA256
f33349e85054b07ae46b0c5e57f2312e724531682faa224b207ecd7e17bf0f04

SHA512
17ab7aec2b3882bf536f7a7a22af91f9e788e41ca8c32c65ea2e3e4d38309653f0b0a5ec99f7a78c16f2418bdd2c9d0379eb1b0326ea36a46086211307e66c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShXBnNwdbjnG.bat
Filesize
207B

MD5
9b75503c062bf22ef32fd5847581e1c4

SHA1
c129c570de9aaa4e87a76048979d34e1d13a762d

SHA256
5e05c47b99982cde12d3c4a05effe913e4898b57fa890b9ae19071ae01277ca1

SHA512
7c6bbf6791b610cbe89f4b673f766551d1fbf42c16d032cfd9ab81cad02e06888959467859d434914aae1be897df1d3dbc5467637eaaeeec563893311c1dcd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZNKXJizw2Jm9.bat
Filesize
207B

MD5
f80a65c5d9b3111815d8ed2325d3d5c0

SHA1
1a6c22ca77ea30d60ee95b3664d4f5230ca2d8f6

SHA256
b3c059506fa0ced9265a69fccf389bbc2e81bd59905a5df98991a8de10d09796

SHA512
1d042c1e48f14f3c6485400a126247c4bd06eea281b9a168014608a9bc2e60ca759ecfc50d0bdb3ec21db3c33130cfce29c3ad2e4c59e719d52a1a6f36d8e334

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLhuMg5f8stM.bat
Filesize
207B

MD5
96971dbea60f25ea580b23cdbc3d34c1

SHA1
ab349c6806b97fc7c1967de0842768e65b84e4f7

SHA256
e267d97ee1e3a64efd08b458c020d85bed2c038ce3f3d3d9ecca0277b7c7b3b3

SHA512
abc529d8c138d136de1647ef62f44ffc9032948102117fe9a4a33243e893474113a77f7e3b0a6fd08c267e871ffd13d4ee2b1f9ba18f1647036d5dc48808f3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4aIBjA6xj90.bat
Filesize
207B

MD5
969650477f980766a10621d7756a9653

SHA1
777111f22eebc32202c8115145034bb5535df703

SHA256
4603ff1457eaa2832d7575ce5404bf1da512491bc0c428d1e7d0c741dac5332e

SHA512
74deb5d0dc9efe6d3fd581bfbe5aa8d58374c0df86f4e9020c1bad25f250dae23557632b8ff5a0c1c0672210f6170c7549f6b4655b27acc43e12d94ab6ca60a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfswdr8lintl.bat
Filesize
207B

MD5
8ab8454f4439004647873fe79bd5b8a1

SHA1
efa005206e8afe4530e09525ebeb27cdd42d93a0

SHA256
0da9f292c811dcd90e984eec5242e20077c6eb5b7ea49590671c349a3f618c3d

SHA512
048c95345396396ebd2cf3097333ae1c157783e963c8909cac3f112db770ae409ca8c628301ae61d6244156ba91d710bdc08c20cf2ccc3eb9e16adc50d0ddb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUqTjoFYvtMx.bat
Filesize
207B

MD5
ee65f909a42320cd25facb7a774f7b13

SHA1
eb8f099fe540582ab7a7114d83693c671fc7657f

SHA256
891bd923207d673c8447a8734adef8a7338c86e41d9f88f80e4a993b38d6cdfc

SHA512
e1d47ed1074322ba12fb8699a22155c3a5e019fd5634d8303ee9e4ab4354887ed830dd0752765e27d03fe1eac0c9d2e25af4ec4978b2fd3a78683812a8c4857f

Download Submit
C:\Users\Admin\AppData\Local\Temp\t8dHDo9Nuj5R.bat
Filesize
207B

MD5
dc425f6c5306531a47d127a06fb0dd93

SHA1
96299edf2b10df827e177488a0902226d47765a0

SHA256
38034c982ecabbbeaae7a63a5165ee531fa6208d59dcb8871109861d430fdd8a

SHA512
31edead38e8b8406f3b523902bd74bc039840f6745ebcfa4edb0cfa77828eb339ad61ca1518201fcc0cba74c4c8377c1d0cfa53644081b0f374541a7d4500c77

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
9ca8a70037a925935b2377221e99e9d2

SHA1
8883c54085c297cc53a80e2dc8dd89518805afda

SHA256
daccb1d03623c53c5cb0484161f6fa3986cff9c51dba771b2be515393e67281d

SHA512
194628fbd44568d98fc266f9d5994f4d9671c7e8d5d8dbe8f513d2157f6a28f0c8c66d480872750abf9da6033fb55260325e77de2938fda0d029171f70ff4ea6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
07d3d1c7ac0a87409a0ad826dd71a775

SHA1
39b001a1bb418373fb47986d8a8f3fc3502693f1

SHA256
048c390a4466f59e3910b2f101c3b8f9861cb6ea9b917158fca21db646bd882e

SHA512
d733924aec5e78246bc0930a354c74dc7617efa6b52cd5896cec241ece538ad1013e01ae3353de4012a5fe93e35203efcf270420d6bf17a398481954651b28d3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
4ba24431cf69983cbd9fc5a9976299e3

SHA1
3827778c7e1a87fe36f7a3c373033620c987e168

SHA256
7cac4be057154f4e4bc60a3e0cdbd35845212bb6c01cf851382dbb35e169d0ab

SHA512
6031443eca6b2fb902d64cfd7af363be8a591576602358d3556dd6cbbd2d684e30d6a1790aa37b8c071455e1d9466638f0a174c63ff76b2143ced97701ce0ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
dfd28260c15cc7b8a32f19e8518aac28

SHA1
19cee6d9a5f6094a7802810ca76f9a62330f993a

SHA256
492c6dd013f313b1f8aa598d6a9d84203cf1ab9f7bb77dd948d838e4f16b0b0a

SHA512
b5bb93946d58bab2e06137d9531ea572576c796292fb5e5e84e3a8a31f9c0e0cc157b7796a308b518e10f396687a9aade4b3a27fbca18726c9b996f9504f259b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
8c86ef7dbad72c7a9792aeebff894224

SHA1
abea55edc73e8b34947fc78a6982065aa0f98c92

SHA256
3ccd67e71b853db40a9ed33a9ef761819b5e681787a9541117dd84ceb25aea52

SHA512
069a6edcfc2e500684a856ad851bc0788ceb260a9727277541291d384ce35824495ea6648dfdf86df9da4a79ea43f7e8b3d7abfe8352a3c5dd212f64a957978a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
b201c19d8b06664a6e682924b3650d42

SHA1
f139fb97489348430518e0f84265fc138513c928

SHA256
650867ad52631b1163c977868204825a5e80ffad5c2846b55d5ff9705be77c2c

SHA512
1c34294c941a4e8b864526f69fec95dab00e7ab6b2e4ec6d55ceae3cb26ac6798b15a04cd283b8ee0d7ae7eb41c284c1a421e225fe1fb898fc70b225f3a353ac

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1192-24-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/1192-19-0x0000000006140000-0x000000000614A000-memory.dmp

Filesize
40KB

Download
memory/1192-17-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/1192-15-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/4988-8-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/4988-16-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/4988-7-0x000000007515E000-0x000000007515F000-memory.dmp

Filesize
4KB

Download
memory/4988-0-0x000000007515E000-0x000000007515F000-memory.dmp

Filesize
4KB

Download
memory/4988-6-0x0000000006730000-0x0000000006742000-memory.dmp

Filesize
72KB

Download
memory/4988-5-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/4988-4-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/4988-3-0x0000000005AB0000-0x0000000005B42000-memory.dmp

Filesize
584KB

Download
memory/4988-2-0x0000000006060000-0x0000000006604000-memory.dmp

Filesize
5.6MB

Download
memory/4988-1-0x0000000000EB0000-0x0000000000F1C000-memory.dmp

Filesize
432KB

Download