quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
600s
max time network
607s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (10) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral8/memory/4276-1-0x0000000000FA0000-0x000000000100C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 26 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 27 IoCs

Processes:

pid	process
1140	Client.exe
820	Client.exe
2556	Client.exe
1312	Client.exe
1520	Client.exe
4328	Client.exe
3908	Client.exe
676	Client.exe
1124	Client.exe
4296	Client.exe
4560	Client.exe
1052	Client.exe
1720	Client.exe
912	Client.exe
4032	Client.exe
920	Client.exe
2052	Client.exe
4508	Client.exe
3416	Client.exe
596	Client.exe
4472	Client.exe
920	Client.exe
3156	Client.exe
4960	Client.exe
664	Client.exe
936	Client.exe
1444	Client.exe

Looks up external IP address via web service 27 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
27	ip-api.com
13	ip-api.com
15	ip-api.com
22	ip-api.com
24	ip-api.com
36	ip-api.com
42	ip-api.com
55	ip-api.com
58	ip-api.com
2	ip-api.com
34	ip-api.com
44	ip-api.com
62	ip-api.com
19	ip-api.com
29	ip-api.com
46	ip-api.com
53	ip-api.com
64	ip-api.com
11	ip-api.com
32	ip-api.com
38	ip-api.com
48	ip-api.com
9	api.ipify.org
17	ip-api.com
40	ip-api.com
50	ip-api.com
60	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2632	1140	WerFault.exe	Client.exe
2592	820	WerFault.exe	Client.exe
4812	2556	WerFault.exe	Client.exe
560	1312	WerFault.exe	Client.exe
4516	1520	WerFault.exe	Client.exe
2312	4328	WerFault.exe	Client.exe
4936	3908	WerFault.exe	Client.exe
704	676	WerFault.exe	Client.exe
2304	1124	WerFault.exe	Client.exe
2160	4296	WerFault.exe	Client.exe
1056	4560	WerFault.exe	Client.exe
3656	1052	WerFault.exe	Client.exe
1472	1720	WerFault.exe	Client.exe
1516	912	WerFault.exe	Client.exe
2924	4032	WerFault.exe	Client.exe
3812	920	WerFault.exe	Client.exe
2404	2052	WerFault.exe	Client.exe
1592	4508	WerFault.exe	Client.exe
2448	3416	WerFault.exe	Client.exe
4412	596	WerFault.exe	Client.exe
3644	4472	WerFault.exe	Client.exe
3992	920	WerFault.exe	Client.exe
3216	3156	WerFault.exe	Client.exe
1588	4960	WerFault.exe	Client.exe
4584	664	WerFault.exe	Client.exe
3828	936	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 28 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exe

pid	process
2340	schtasks.exe
4068	schtasks.exe
4016	schtasks.exe
756	schtasks.exe
2512	schtasks.exe
2980	schtasks.exe
4380	schtasks.exe
3188	schtasks.exe
1936	schtasks.exe
1392	schtasks.exe
4352	schtasks.exe
216	schtasks.exe
1456	schtasks.exe
2864	schtasks.exe
2056	schtasks.exe
1932	schtasks.exe
5080	schtasks.exe
3568	schtasks.exe
3704	schtasks.exe
636	schtasks.exe
2900	schtasks.exe
1408	schtasks.exe
3740	schtasks.exe
3444	schtasks.exe
2364	schtasks.exe
3328	SCHTASKS.exe
3336	schtasks.exe
2728	schtasks.exe

Runs ping.exe 1 TTPs 26 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2512	PING.EXE
5056	PING.EXE
3164	PING.EXE
4388	PING.EXE
2176	PING.EXE
3316	PING.EXE
5084	PING.EXE
4896	PING.EXE
1500	PING.EXE
4912	PING.EXE
2704	PING.EXE
4876	PING.EXE
3692	PING.EXE
4032	PING.EXE
920	PING.EXE
3924	PING.EXE
1180	PING.EXE
2208	PING.EXE
3880	PING.EXE
2068	PING.EXE
816	PING.EXE
1672	PING.EXE
2584	PING.EXE
4260	PING.EXE
3560	PING.EXE
3732	PING.EXE

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

Uni - Copy (10) - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4276	Uni - Copy (10) - Copy.exe
Token: SeDebugPrivilege	1140	Client.exe
Token: SeDebugPrivilege	820	Client.exe
Token: SeDebugPrivilege	2556	Client.exe
Token: SeDebugPrivilege	1312	Client.exe
Token: SeDebugPrivilege	1520	Client.exe
Token: SeDebugPrivilege	4328	Client.exe
Token: SeDebugPrivilege	3908	Client.exe
Token: SeDebugPrivilege	676	Client.exe
Token: SeDebugPrivilege	1124	Client.exe
Token: SeDebugPrivilege	4296	Client.exe
Token: SeDebugPrivilege	4560	Client.exe
Token: SeDebugPrivilege	1052	Client.exe
Token: SeDebugPrivilege	1720	Client.exe
Token: SeDebugPrivilege	912	Client.exe
Token: SeDebugPrivilege	4032	Client.exe
Token: SeDebugPrivilege	920	Client.exe
Token: SeDebugPrivilege	2052	Client.exe
Token: SeDebugPrivilege	4508	Client.exe
Token: SeDebugPrivilege	3416	Client.exe
Token: SeDebugPrivilege	596	Client.exe
Token: SeDebugPrivilege	4472	Client.exe
Token: SeDebugPrivilege	920	Client.exe
Token: SeDebugPrivilege	3156	Client.exe
Token: SeDebugPrivilege	4960	Client.exe
Token: SeDebugPrivilege	664	Client.exe
Token: SeDebugPrivilege	936	Client.exe
Token: SeDebugPrivilege	1444	Client.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

pid	process
1140	Client.exe
820	Client.exe
2556	Client.exe
1312	Client.exe
1520	Client.exe
4328	Client.exe
3908	Client.exe
676	Client.exe
1124	Client.exe
4296	Client.exe
4560	Client.exe
1052	Client.exe
1720	Client.exe
912	Client.exe
4032	Client.exe
920	Client.exe
2052	Client.exe
4508	Client.exe
3416	Client.exe
596	Client.exe
4472	Client.exe
920	Client.exe
3156	Client.exe
4960	Client.exe
664	Client.exe
936	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (10) - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4276 wrote to memory of 2340	4276	Uni - Copy (10) - Copy.exe	schtasks.exe
PID 4276 wrote to memory of 2340	4276	Uni - Copy (10) - Copy.exe	schtasks.exe
PID 4276 wrote to memory of 2340	4276	Uni - Copy (10) - Copy.exe	schtasks.exe
PID 4276 wrote to memory of 1140	4276	Uni - Copy (10) - Copy.exe	Client.exe
PID 4276 wrote to memory of 1140	4276	Uni - Copy (10) - Copy.exe	Client.exe
PID 4276 wrote to memory of 1140	4276	Uni - Copy (10) - Copy.exe	Client.exe
PID 4276 wrote to memory of 3328	4276	Uni - Copy (10) - Copy.exe	SCHTASKS.exe
PID 4276 wrote to memory of 3328	4276	Uni - Copy (10) - Copy.exe	SCHTASKS.exe
PID 4276 wrote to memory of 3328	4276	Uni - Copy (10) - Copy.exe	SCHTASKS.exe
PID 1140 wrote to memory of 756	1140	Client.exe	schtasks.exe
PID 1140 wrote to memory of 756	1140	Client.exe	schtasks.exe
PID 1140 wrote to memory of 756	1140	Client.exe	schtasks.exe
PID 1140 wrote to memory of 812	1140	Client.exe	cmd.exe
PID 1140 wrote to memory of 812	1140	Client.exe	cmd.exe
PID 1140 wrote to memory of 812	1140	Client.exe	cmd.exe
PID 812 wrote to memory of 2104	812	cmd.exe	chcp.com
PID 812 wrote to memory of 2104	812	cmd.exe	chcp.com
PID 812 wrote to memory of 2104	812	cmd.exe	chcp.com
PID 812 wrote to memory of 2512	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 2512	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 2512	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 820	812	cmd.exe	Client.exe
PID 812 wrote to memory of 820	812	cmd.exe	Client.exe
PID 812 wrote to memory of 820	812	cmd.exe	Client.exe
PID 820 wrote to memory of 4068	820	Client.exe	schtasks.exe
PID 820 wrote to memory of 4068	820	Client.exe	schtasks.exe
PID 820 wrote to memory of 4068	820	Client.exe	schtasks.exe
PID 820 wrote to memory of 2616	820	Client.exe	cmd.exe
PID 820 wrote to memory of 2616	820	Client.exe	cmd.exe
PID 820 wrote to memory of 2616	820	Client.exe	cmd.exe
PID 2616 wrote to memory of 4480	2616	cmd.exe	chcp.com
PID 2616 wrote to memory of 4480	2616	cmd.exe	chcp.com
PID 2616 wrote to memory of 4480	2616	cmd.exe	chcp.com
PID 2616 wrote to memory of 1500	2616	cmd.exe	PING.EXE
PID 2616 wrote to memory of 1500	2616	cmd.exe	PING.EXE
PID 2616 wrote to memory of 1500	2616	cmd.exe	PING.EXE
PID 2616 wrote to memory of 2556	2616	cmd.exe	Client.exe
PID 2616 wrote to memory of 2556	2616	cmd.exe	Client.exe
PID 2616 wrote to memory of 2556	2616	cmd.exe	Client.exe
PID 2556 wrote to memory of 5080	2556	Client.exe	schtasks.exe
PID 2556 wrote to memory of 5080	2556	Client.exe	schtasks.exe
PID 2556 wrote to memory of 5080	2556	Client.exe	schtasks.exe
PID 2556 wrote to memory of 1496	2556	Client.exe	cmd.exe
PID 2556 wrote to memory of 1496	2556	Client.exe	cmd.exe
PID 2556 wrote to memory of 1496	2556	Client.exe	cmd.exe
PID 1496 wrote to memory of 2656	1496	cmd.exe	chcp.com
PID 1496 wrote to memory of 2656	1496	cmd.exe	chcp.com
PID 1496 wrote to memory of 2656	1496	cmd.exe	chcp.com
PID 1496 wrote to memory of 3316	1496	cmd.exe	PING.EXE
PID 1496 wrote to memory of 3316	1496	cmd.exe	PING.EXE
PID 1496 wrote to memory of 3316	1496	cmd.exe	PING.EXE
PID 1496 wrote to memory of 1312	1496	cmd.exe	Client.exe
PID 1496 wrote to memory of 1312	1496	cmd.exe	Client.exe
PID 1496 wrote to memory of 1312	1496	cmd.exe	Client.exe
PID 1312 wrote to memory of 3568	1312	Client.exe	schtasks.exe
PID 1312 wrote to memory of 3568	1312	Client.exe	schtasks.exe
PID 1312 wrote to memory of 3568	1312	Client.exe	schtasks.exe
PID 1312 wrote to memory of 4580	1312	Client.exe	cmd.exe
PID 1312 wrote to memory of 4580	1312	Client.exe	cmd.exe
PID 1312 wrote to memory of 4580	1312	Client.exe	cmd.exe
PID 4580 wrote to memory of 3548	4580	cmd.exe	chcp.com
PID 4580 wrote to memory of 3548	4580	cmd.exe	chcp.com
PID 4580 wrote to memory of 3548	4580	cmd.exe	chcp.com
PID 4580 wrote to memory of 1180	4580	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2340

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wym3B1TGm83Z.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2104

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2512

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k0UrOYo2kH1k.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4480

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1500

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i73ZoRr2328E.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:2656

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3316

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T8xeFE1UVNPV.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3548

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1180

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1520

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WK4aK3aZkptS.bat" "
11⤵
PID:3776

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:2288

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:5056

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EK9wy6aihMTq.bat" "
13⤵
PID:2616

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4928

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4876

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3908

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hjQrqr6D7UK6.bat" "
15⤵
PID:3388

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:1488

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2584

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:676

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KDYevxKxqFJe.bat" "
17⤵
PID:1232

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:556

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3692

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e0IlZpYz8uDd.bat" "
19⤵
PID:4556

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2276

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4032

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4296

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWEIRfw2NTu5.bat" "
21⤵
PID:4432

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4712

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:920

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XjHLeO3u1TYf.bat" "
23⤵
PID:4896

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4136

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3164

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1052

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkBQ4BDMUnpx.bat" "
25⤵
PID:4508

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:4276

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4912

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ALmZw7VyanMc.bat" "
27⤵
PID:1260

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:4068

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2068

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\urWqai3LLAky.bat" "
29⤵
PID:2776

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:948

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:5084

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYnbSkEVHa7q.bat" "
31⤵
PID:4284

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:3168

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:2208

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:920

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uADT6QfRsOLP.bat" "
33⤵
PID:1148

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:844

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:4260

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2052

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4RBJPbxlRTxf.bat" "
35⤵
PID:2296

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:4812

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:4388

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4508

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UluybPxBvuRS.bat" "
37⤵
PID:2996

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:4168

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:2176

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGqVTFLEAT8u.bat" "
39⤵
PID:2288

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:4188

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:3560

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:596

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUsYgyS7oTmV.bat" "
41⤵
PID:3964

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:2324

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:2704

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fnUqYd44PAnY.bat" "
43⤵
PID:2488

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:1056

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:816

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:920

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiiJzLLx14Ed.bat" "
45⤵
PID:1496

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:3224

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:4896

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dbHjnWmKX9DE.bat" "
47⤵
PID:676

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:2072

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:3732

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZDgcSCEG9wQn.bat" "
49⤵
PID:1232

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:2572

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:1672

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:664

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\576L6ALqG2Ay.bat" "
51⤵
PID:1368

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:744

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:3880

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\haE8BGZaznAX.bat" "
53⤵
PID:2652

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:3456

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:3924

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 2216
53⤵
- Program crash
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 1096
51⤵
- Program crash
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 2248
49⤵
- Program crash
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 2172
47⤵
- Program crash
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1096
45⤵
- Program crash
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 2228
43⤵
- Program crash
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 1092
41⤵
- Program crash
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 2236
39⤵
- Program crash
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 2224
37⤵
- Program crash
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 2248
35⤵
- Program crash
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1688
33⤵
- Program crash
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1692
31⤵
- Program crash
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1092
29⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 2224
27⤵
- Program crash
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 2224
25⤵
- Program crash
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 2236
23⤵
- Program crash
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 2228
21⤵
- Program crash
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1092
19⤵
- Program crash
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 2224
17⤵
- Program crash
PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1092
15⤵
- Program crash
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1092
13⤵
- Program crash
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2248
11⤵
- Program crash
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1084
9⤵
- Program crash
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 2232
7⤵
- Program crash
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 2248
5⤵
- Program crash
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1204
3⤵
- Program crash
PID:2632

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1140 -ip 1140
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 820 -ip 820
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2556 -ip 2556
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1312 -ip 1312
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1520 -ip 1520
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4328 -ip 4328
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3908 -ip 3908
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 676 -ip 676
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1124 -ip 1124
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4296 -ip 4296
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4560 -ip 4560
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1052 -ip 1052
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1720 -ip 1720
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 912 -ip 912
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4032 -ip 4032
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 920 -ip 920
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2052 -ip 2052
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4508 -ip 4508
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3416 -ip 3416
1⤵
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 596 -ip 596
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4472 -ip 4472
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 920 -ip 920
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3156 -ip 3156
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4960 -ip 4960
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 664 -ip 664
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 936 -ip 936
1⤵
PID:2876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4RBJPbxlRTxf.bat
Filesize
207B

MD5
c14d31bcbc11010f57e6a82828eb8c94

SHA1
0bacf6eeecb1b3303d9eaaab15dde04065411fa4

SHA256
8227d5d7833bf54ef7e201fb09460c7eeced514379fa8f817e362cc83d1fc32b

SHA512
026a97a2f159602b3875464bc9a40839aa72460f01c135bed4896247165c8705db874878ab4089745747c0e7a5f4d323ba828f4bc619e53753d9a250b3003a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGqVTFLEAT8u.bat
Filesize
207B

MD5
07ade78a58a26808f36ac627f928349f

SHA1
6ca719b7a75210728b6d137c99abe8aafc6a4d48

SHA256
a2fe166321e8e6f48ae597d32ed6ac9874fb837d8f9b9621abf5ee0b70692faf

SHA512
72fd29bf5c4bfb77b9ce2dc69c3b530f34280810d8f25c5751cd64c8d7ef6263ef00f0c8aa0c57550cf9427d7c1d96ffa80ec78d083aab54c8acdcce3ba23a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ALmZw7VyanMc.bat
Filesize
207B

MD5
c454684a568f29ed63a9732e97641cdc

SHA1
d88fb7c3ed3b831dfcfabdd154cb5fb135defe59

SHA256
a89737b060ff33dbf8bbca2cee64307b89479069de973c825dda63c80a6b5a2d

SHA512
937efea74cb69dc79cf65f6d6a93fba6de336e0a7eb13612c269e70481fdc8dcfa92a873a685702cf6c09a46aff277e7eb9044eedd1bdbb5b84bbf3898bc69c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EK9wy6aihMTq.bat
Filesize
207B

MD5
453287f2b0742320f992ca5ae3bee2d4

SHA1
faebe965445367bd722665038ea7a7357d173da7

SHA256
a32187063c09d70d4160216d9a8c47ebf2f3d41061a0a060d1bb32688cef124f

SHA512
ddf09d9f55773b874fca6cf7b0dd23a2f3652ae038288eafc48af741c794e189c7ef5d1f83f3c83156353659542aef99e09091a9e8aba91ace4a9309beb13462

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkBQ4BDMUnpx.bat
Filesize
207B

MD5
2256f5f45c5e841943e291ec27b3d06b

SHA1
4d55a0608b578d8ec65d053345b1404631fb69cf

SHA256
e3809fe14856016c6e787dc0dde240d0c84fe42c9d68d9457be3478600fee1e0

SHA512
c2c31cc20efd3e802919f294fdddad9fcf6d58368b68ea1610301809e9eb1b9b43f3abf91554de257d2cc860afc7030a88fdb87d31a7c17b3e763afd0e249cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\KDYevxKxqFJe.bat
Filesize
207B

MD5
a7ae2bfd0af6479c3d157064216eca37

SHA1
66408eddfaca405217406eb3e31187f585e4c9e5

SHA256
4db78e9940aa3329f92926f0327c5c2a441667ec7e1b4452eab0af6e008d8fe2

SHA512
5dcabe73785c48e71b4acdc297e6c2b0446d6987f9771a7acbfeb01417a9b81e86ddebe912444bdafeeb5c2aede9cc61851176b762e78ae1fbb6dc5c2b83fc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\KWEIRfw2NTu5.bat
Filesize
207B

MD5
8e28bc4167b62f170a85a4cdfeedda09

SHA1
8f3f8f51a6a69a5b10ca81fadc3c5b9d9c833bd4

SHA256
3a11b3b87ad7fc8a19008e306cd401f22097d6a88a83f6c92ed9417f4963438a

SHA512
7ff3c000d2d9ea9527f852d258e20d003f02f787252812266f64bc38d4df4e2ab83ceee833537522c8bd2e9090fdee6b13caf71374af65beb6b029844a8b9ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUsYgyS7oTmV.bat
Filesize
207B

MD5
19ae4695380d6fb52015f39967e2f896

SHA1
c1e7644b1616ea7c72310fada10b54de9c383511

SHA256
a78685abf0ce2cac58f8b7b3f90235b2aca5d539f753a3bd84f985da96d90bff

SHA512
825c69d7f50a5ab86eb2e91aa074c01648cb70affdc9a7dc596e3103e00c0f00772d91f0a15f99f2592cd5ac0afeb3685316eca8a8c1870577eeaafcf810e235

Download Submit
C:\Users\Admin\AppData\Local\Temp\T8xeFE1UVNPV.bat
Filesize
207B

MD5
adeadc3c9a733b28ddfbca073de4ce37

SHA1
3c30d7dce5a0c150d71d9c45210cdf367bd59582

SHA256
9ea414cb5129a983d62640ea1c237582b983e7cb2ffd3817f05357d0dcb02bf5

SHA512
4f9ab67a07dbf8eb2493bc3e48bc0b94a21a94d501f2116fcfd4daa7f8e7f429eaa76e2f566be75da267e86e38947998dcc85a6be5924cdd4a55862566d3adfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UluybPxBvuRS.bat
Filesize
207B

MD5
58506a2862d9a4b387942825445e01c8

SHA1
c69903b0b0d649ea0e70fcb770892bb83d17113f

SHA256
0cd532cf82b565c8cdfd6b535b4d2c0907be7d97eafccbc7b1e79d432d31ab14

SHA512
50b3657cc281a6b728ca7bd62f2819c2c353a45ce2d64409bf45a05660be41d6f773260b639358084df862646d98c90310b3cb65f880efb798eb6a535e5e7556

Download Submit
C:\Users\Admin\AppData\Local\Temp\WK4aK3aZkptS.bat
Filesize
207B

MD5
3083816ffa92516b5db81b16aca081b1

SHA1
b0f4324091d154b634a9fcde1a49060428cff1b0

SHA256
e6e71a5c3f0fdf8b32748f3b22c58bf303e6abe1f8b6b2b407ef0c3d61b8d0f1

SHA512
cd5f2df60aefb5e12dcba3c33f6df2b1f7c428c5c3229d99c7a21a4ce58c465b631e56015f3686fe82593356cea12a8a86628a59fb0c1b142d70608d11fc8700

Download Submit
C:\Users\Admin\AppData\Local\Temp\XjHLeO3u1TYf.bat
Filesize
207B

MD5
363a56c795c8b13e6db7d4bf3f94d1f0

SHA1
8026e290204e88449f22b6f13924991f63e5edf8

SHA256
6a39cc4b58259b016b65eaa1bb4af6eabdf0b59eb38a4618240e81370512e96e

SHA512
da1b7ac2d190d14a17ab825d4bce100d50973ed9e1ef9bbe46d6405000d34147b02e7ab9f9cd44649fcc861aff097549515db2fea8e726b49973cbb53dcfc828

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0IlZpYz8uDd.bat
Filesize
207B

MD5
13c403977e7b3c756644eb882625aed6

SHA1
6d5d0ba0b6016d49477dab5794506f4a8f454967

SHA256
a9cbb85d165d17521ea2826ec01e5166fdfeaf8578e79e8eef8f934057eaf0fc

SHA512
14229d00ed5481afafa5759e89943c55331c7d28092c0036b88d39ea1fedbc317b209eb769f9dc8bd027f605ae7d711617fbb899f8e1bd2650519c9bfe7597aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnUqYd44PAnY.bat
Filesize
207B

MD5
21b11e6b82303c9a0d454cb8025e98e0

SHA1
e2ecb625d7b0f6376a87c142b709e2709ec7c403

SHA256
bd298c82c3af8d53f1130c229229096f2fa5ef1df9dc8c36afd3d372ed2f6551

SHA512
b4bcbe254f807b87d504bd005dd03cd9c0094476055e84361e25520eec61e3c678e3b99099326db74c69918547bcca5f9221036a9cb5c2e2d75aedadbe222f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjQrqr6D7UK6.bat
Filesize
207B

MD5
4e51d49b7a26d7dcf1b2e38ac85a730f

SHA1
acd150f86c862b1d5413627619458baabfd89de7

SHA256
75686d1f2657092d4500ab19f16d4e84f6a81ff085ec2554ec9e23752a995c2f

SHA512
6a5450f6f0f13f163460de69d7486be6f52fcc1a36653ad844c3c891a6bc453f9f722de33b46d11ddcba2c6d8178780ae3ddbfff990641f4ff94f14c9655c4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\i73ZoRr2328E.bat
Filesize
207B

MD5
e3bf62b53b823aa0153a63244311d0d7

SHA1
54c5df80d3c73a4f26227ea76ae2e91aae7303e9

SHA256
847ebffb1195302e53491e7570879c7911552cc9818e72ae0ca6076690d51140

SHA512
8bfbb2687fb936736f199ade499a4dd2673b319e278623b5c9652180775e774c307c3c7a3d6dddd4569bb65b234e3163e533b66dd51fcc07acef051e992c1ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\k0UrOYo2kH1k.bat
Filesize
207B

MD5
e1268aea0ef4cb0061bdea44bd2876e7

SHA1
f591ab34422f9f9a022dfd2bf779a9fd908c96ff

SHA256
0810ec0cae35c9d29f6c7eafed31c6bac491cc0de266f51108fc2428fae5de4d

SHA512
ea6718f0c520cb37af065024c9751cae596c3597f0f2796167741fdfd15f9661dc6aab66d038fe138904bd6e14523162be4f1d7fad3cb4a2b4f7bcc66f07684d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uADT6QfRsOLP.bat
Filesize
207B

MD5
8ed0d5a34bbb0c2acce1bba0666b8335

SHA1
16ac653ba85056d9ae78f6c7d5f36339bc926dda

SHA256
e25aacb33cd8a4de9310c6f3d86c31d5a334e2915b78986ca9fe8243908ff9e5

SHA512
ce800dead851b91a692352f15ad9cd4278ac85ade74c9ba93654f20c1a87fcf128a6727fbcbc2ff333762cf67959013f17f0e57e80bf7d367218af9578be0903

Download Submit
C:\Users\Admin\AppData\Local\Temp\urWqai3LLAky.bat
Filesize
207B

MD5
657ba666722cb8b0d8cf1103262926bf

SHA1
c55533af4ecea86ccd839f09cb3e48e3a5e51efb

SHA256
ebc01e3badc839e12ade38e721e5aea97216632bda1c2e067c465df04077651c

SHA512
9ea919b3f297d4714eb06454e55b68e0f232390b8fcf8305bbdb98bfe0c98ab018739bad7eb0d2c50ba453ceebaa2275ff0af3fcb6f003d65a3879d7112ceea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wym3B1TGm83Z.bat
Filesize
207B

MD5
ed0882313c49b67fd8a6e8875a5105d2

SHA1
8d36b4a69872bd9b7f3584b73514ad6eb805ae31

SHA256
7779950f26be928c4e9fbd100ec713261629dba9dbbd7e9c13d24403ff074535

SHA512
4106a3d6b955c0a1bfc705d304f3b6609f0c898b91fcc17a47d89fce2f279098dc246c0fced3dbaa9e141e956e886ffcc2a8b38e04b3b26b367a0ea398e0d3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYnbSkEVHa7q.bat
Filesize
207B

MD5
6459483d47bcf0167a73e98f46719c3a

SHA1
40b46a9b5844d26e52bb83dd5675fed1da71bd77

SHA256
31b56fdca94cbcb0a476c17e0851596bc2f5635433192540206cd6e1e2312ddc

SHA512
95b55250ade7c7e16780a65671a8b60bd9bcf350b1a57885915367c5320ea96707ab8750a5a4651f728aa51926344006f5a7f8605e8076a5d2d68172a65b4dfb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
82c24f388bd302e0baef0da264ca2294

SHA1
98792681fe9cf40ba546bf28160f6060af828fce

SHA256
6926da88ad82ba5fa6946b8ff28f1094e59d8748853c5fc09da94e99b7070166

SHA512
0b15970484767473975c229271c77e5324e4a1dc3f55025eee364cea69ed77648ee1bd17343e332d00f6ddc24054e53864f54e9519e287d3a350d67eaa265cf0

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1140-14-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/1140-19-0x0000000006270000-0x000000000627A000-memory.dmp

Filesize
40KB

Download
memory/1140-17-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/1140-24-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/4276-16-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/4276-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/4276-8-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/4276-7-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/4276-6-0x00000000066F0000-0x0000000006702000-memory.dmp

Filesize
72KB

Download
memory/4276-5-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/4276-4-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/4276-3-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/4276-2-0x0000000006000000-0x00000000065A4000-memory.dmp

Filesize
5.6MB

Download
memory/4276-1-0x0000000000FA0000-0x000000000100C000-memory.dmp

Filesize
432KB

Download