quasar | 9261f3eefa0aef107e865784d8b8b62d4e7213056dfe535893920a344fa0d908

Analysis

max time kernel
52s
max time network
52s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-12-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Panel Ejecutador MTA 3.14.zip
Size

1.1MB
MD5

d345c2eb24b0d3806865fda604ad1cc8
SHA1

6b813317f6108f2c242babda58097070503df242
SHA256

9261f3eefa0aef107e865784d8b8b62d4e7213056dfe535893920a344fa0d908
SHA512

76c941b833ffcef6da121c2e2735952ed81cbf7c6a6260a227040d37abf0adaa41461045c69710331345d52d95aac89ddf0a256ebc85fbdb2ed703106999ab74
SSDEEP

24576:ioRau4l48JTUIlfSsqFDxCs3+UgQYuX370FBZa:ioRUv5UIYsqOs3+UPY234m

Score

10^/10

quasar office04 discovery phishing spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
WindowsUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000046211-2.dat	family_quasar
behavioral1/memory/2752-5-0x0000000000930000-0x0000000000C86000-memory.dmp	family_quasar

A potential corporate email address has been identified in the URL: 2387401053DB208C0A490D4C@AdobeOrg
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 2 IoCs

pid	Process
2752	Panel Ejecutador MTA 3.14.exe
4316	WindowsUpdate.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133788552519801863"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
932	schtasks.exe
4388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4976	chrome.exe
4976	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1056	7zFM.exe
Token: 35	1056	7zFM.exe
Token: SeSecurityPrivilege	1056	7zFM.exe
Token: SeDebugPrivilege	2752	Panel Ejecutador MTA 3.14.exe
Token: SeDebugPrivilege	4316	WindowsUpdate.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	3164	wmplayer.exe
Token: SeCreatePagefilePrivilege	3164	wmplayer.exe
Token: SeShutdownPrivilege	4508	unregmp2.exe
Token: SeCreatePagefilePrivilege	4508	unregmp2.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1056	7zFM.exe
1056	7zFM.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
3164	wmplayer.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4316	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 932	2752	Panel Ejecutador MTA 3.14.exe	86
PID 2752 wrote to memory of 932	2752	Panel Ejecutador MTA 3.14.exe	86
PID 2752 wrote to memory of 4316	2752	Panel Ejecutador MTA 3.14.exe	88
PID 2752 wrote to memory of 4316	2752	Panel Ejecutador MTA 3.14.exe	88
PID 4976 wrote to memory of 3308	4976	chrome.exe	90
PID 4976 wrote to memory of 3308	4976	chrome.exe	90
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 2036	4976	chrome.exe	91
PID 4976 wrote to memory of 3968	4976	chrome.exe	92
PID 4976 wrote to memory of 3968	4976	chrome.exe	92
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93
PID 4976 wrote to memory of 4060	4976	chrome.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Panel Ejecutador MTA 3.14.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1056

C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe
"C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:932
- C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4316
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff8fcaacc40,0x7ff8fcaacc4c,0x7ff8fcaacc58
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,1305931668239385344,4959777548253753724,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,1305931668239385344,4959777548253753724,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,1305931668239385344,4959777548253753724,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,1305931668239385344,4959777548253753724,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,1305931668239385344,4959777548253753724,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,1305931668239385344,4959777548253753724,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4924,i,1305931668239385344,4959777548253753724,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,1305931668239385344,4959777548253753724,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:3780
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x7ff6f8594698,0x7ff6f85946a4,0x7ff6f85946b0
    3⤵
    - Drops file in Windows directory
    PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4572,i,1305931668239385344,4959777548253753724,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3380,i,1305931668239385344,4959777548253753724,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5040,i,1305931668239385344,4959777548253753724,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4780,i,1305931668239385344,4959777548253753724,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:4324

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3560

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3164
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  PID:976
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000047

Filesize
46KB

MD5
19733017045ef35c0ce7a4fece3b3556

SHA1
1d50605319520561db5ce841b578bf1d8dfc2a9b

SHA256
b473e5439786469e216bd7884f17cd4c359b4a7a3533b31f57a590525bb3eb9e

SHA512
111dc5cd4c003f5eb6ff24c765668c0d45055cf922d1ab85b218429c0e283705a0063fd193001fa9cc5d6d74449628175fa3bd05fb4e5c7b33e387e92683e36f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6e8292a946668eb81ea7901142a4ef8d

SHA1
da4bb7024b6cfc2ca143d54128a54e41645162d0

SHA256
6f50a10f92312ae65abc22282387642d66fada705876b7d35ffa396da8c3a31e

SHA512
a68af5cc158655692cfadb03e6f43c1e31b3a4be34fdb0ab85e0c40717b8446bbe0d7b5e44261d603729b0cc54da4dcb53604ef7d3a2aa9361cf1b5ec19bcd63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c83e10e01e0bbfcf6a454cb4438e8395

SHA1
001569031c55a138aaf5c24044fa79f6edd7d78b

SHA256
13ea0842a483727d768a20c348fc4213abad5bd9123fbd5c72d09935247fa406

SHA512
d82310f1c40622a54c791d5112a5f89b5a21d9814b3ed29e9e4ce58c2adbc7133bdcc68408e3eca6ec93a7f8d9467adbb146684df1d7b7df45bc186e484ff979

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3070b1fc2f16b1ec9f0d256cdc6e2db9

SHA1
bfbcf6f5a18e9551a66e123f383ceec105557922

SHA256
c5f44e33c433cb17d28b7ea314236db2578dd2ab3171e8768be57e15bb24b082

SHA512
e976c619b193c791cc80aaddadf0551da9c76ab6ee325f355fcf9de9020d8247f687468614cfa573205bed5057ce21c72c3895184b7efb08971e1c35bd8529a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad6c7f4d09cd81874416bcb835599ff6

SHA1
b8424aadd45cb41de0ba65b60fce749252ef9da2

SHA256
e76447d0548cf699c735de990e04117d047c6589a3437ba42d4338e6f72feb7d

SHA512
0d5e6327d11607e165ac1ea33f1d7763aac3fa809cf744cdad2f2d0aaa5e7eb9f17fd3320294023b3ca6d17a444092c5d6b8cb1dc9cc6c8235c7efa17a94863a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8850c315c2d88aeb121e75852990aefa

SHA1
9923e2a9924e11974b10a7c30cb3d27d08dfab96

SHA256
b6e41314149715df3aef9ef7e431650b97ffcabc4b4bab592799f77e2ca0f57c

SHA512
629e700ead804f96f834db3fe60770dc8ecbef2b22d8e92353d04442d0bceac8701e8190f3e968452c8e2b5354020fbcb13383adaf4b38fe4483309f0a8de3bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3d5f6b0a9969c226aec91fb76deb6098

SHA1
97088df758cd6ecf3b4bb9453ac1c193b4e1982d

SHA256
0057c27d274a27052efeac26f689da807a621be84ca9cf4aba23fb372728eb79

SHA512
a4a8fe21503b11c7d1eee044b7abef9ce1afeb4c983e44c1fb6e5f44d9371555703d31e9113b2c223c14e8187c43d5e8d86c29d1195a8784c2d20a3b5595bddd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fb07dd1b-3290-4ae3-8962-3bc70f8c598f.tmp

Filesize
9KB

MD5
7fa6a93f3c5a2083310b137af094003e

SHA1
4a6ac59b52c1505de741097ea129e930b5968103

SHA256
c31ef8de31a1f770ef50182978fd0661996e24947a5ba2b9d92a31e614a1b4c9

SHA512
25131331b3098a4396c2756251562573bb3e5bed6b2177ee0eac1df9a56c06c1ba7e9b54ac5a3074013041c89e4cde863a01644b121208c989b806ab0a4b1aa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
0f978c5ccfa9557bbf2e43517880ace7

SHA1
44b93245aefc4d0ec21374f3aef59a378c3cd8c6

SHA256
0efeb02e6105e259552a4df7ec5f9fc1719a2711d3291da53c97a00c3481e984

SHA512
6aa2e063d2cbaa36bc1e7a9a723afab8cf0a442d01f273ee1fc0711b38fb073fb907e8ee4337a75714444cdecd8d0ef748ad4eb5f1791a3c5603a0fd1eaf1830

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
bf4286224b7226e50364564acfe4a29c

SHA1
d8ef67e1955ae0c30b2ea49cb872a0e42980f920

SHA256
2f457cb568ca780b6cc4fa56d45888f59cbc0b3e3faa60b6ac942fb6b6f18050

SHA512
a40b4589a1203d4fb7669175838a3636670ccbfc9e23c2e69da95831658b2574e72a3d149df6af47e8957cdbae667bb32931ea806959ea84e55bc87a4e1435e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
caf854f6c22ed1606b82c49180aa2002

SHA1
7c92dfe7756ea26d5a572527b7c9a1553f0418e2

SHA256
61c246b51fab4d02a8c1d253fea6f832ea8bf6afd821bb34768baa99845dd908

SHA512
56b57fedf5ea51ee42181ce5da6e8e0aa78d47edf469d141c771f47893ccf7911e95dca2089cd79f3893000fdd1f4442167fb93c19012914059d2eabe292f047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
b450622a8f2a0be470fc9ebd7856be73

SHA1
4aa93721d2e6ea4e12f104e83870d85a2d322e40

SHA256
532a38a42214a35864cc67b2d73af3b41210cb9b33831e75eef9aeb6bab0c180

SHA512
13fbbc7a29436ef2bb3ba4921cc328ca2df085494c3f874ed1f8ebb3afd51a7561788b976e436c321640bcdb36d27a8b0b20d270f4d4f89cd40d192b8dba5f7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
1f4259c0cdfeb18c9d16c846e3defc6e

SHA1
4a7d2884a439ca8ee6d319e4fd4f7a452fbd9e2e

SHA256
a9b15b093126231e2fae55de971cfcc1d031b1572635c36b966552c1882857f6

SHA512
106451e417b494bede69b0cbd718528d057c88794d37a2eccf0248fdbef4e658e625dddad47c542accabea39115654f4d289eaea1c91386a48583ecb51f8fadd

Download Submit
C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe

Filesize
3.3MB

MD5
5791d405ca0a97a89eeaeb4f2be628be

SHA1
a012d40aaaa01db12a83b0e4408d012fd383dd0b

SHA256
6c67a1bf1d558b31a790e4bdcef062c9b49f00a1b3d7361dfc8308d55b87bc5d

SHA512
3971447d6a5f1ffe51bb1acc0d2525aa5bca521358c67828e6bd983d68e8c22dfa83ab49109575bc113e13de861682af563a3ed21e5ef48cce1bfcdb8f1f2afd

Download Submit
memory/2752-9-0x00007FF901750000-0x00007FF902212000-memory.dmp

Filesize
10.8MB

Download
memory/2752-6-0x00007FF901750000-0x00007FF902212000-memory.dmp

Filesize
10.8MB

Download
memory/2752-5-0x0000000000930000-0x0000000000C86000-memory.dmp

Filesize
3.3MB

Download
memory/2752-4-0x00007FF901753000-0x00007FF901755000-memory.dmp

Filesize
8KB

Download
memory/3164-399-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-413-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-85-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-80-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-81-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-78-0x0000000007B60000-0x0000000007B70000-memory.dmp

Filesize
64KB

Download
memory/3164-79-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-443-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-442-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-82-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-84-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-389-0x0000000007B60000-0x0000000007B70000-memory.dmp

Filesize
64KB

Download
memory/3164-390-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-391-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-392-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-393-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-394-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-395-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-397-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-396-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-398-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-400-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-83-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-401-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-402-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-406-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-405-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-404-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-403-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-407-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-408-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-409-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-410-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-411-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-412-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-86-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-414-0x0000000007B60000-0x0000000007B70000-memory.dmp

Filesize
64KB

Download
memory/3164-415-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-416-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-417-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-418-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-420-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-422-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-423-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-425-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-424-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-421-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-419-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-427-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-429-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-428-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-431-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-432-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-430-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-433-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-434-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-435-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-436-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-437-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/3164-439-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-440-0x0000000007B60000-0x0000000007B70000-memory.dmp

Filesize
64KB

Download
memory/3164-438-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3164-441-0x000000000A390000-0x000000000A3A0000-memory.dmp

Filesize
64KB

Download
memory/4316-374-0x000000001D5F0000-0x000000001D797000-memory.dmp

Filesize
1.7MB

Download
memory/4316-38-0x000000001D2B0000-0x000000001D2EC000-memory.dmp

Filesize
240KB

Download
memory/4316-37-0x000000001CB30000-0x000000001CB42000-memory.dmp

Filesize
72KB

Download
memory/4316-36-0x000000001D7A0000-0x000000001DCC8000-memory.dmp

Filesize
5.2MB

Download
memory/4316-20-0x000000001CB70000-0x000000001CC22000-memory.dmp

Filesize
712KB

Download
memory/4316-19-0x000000001CA60000-0x000000001CAB0000-memory.dmp

Filesize
320KB

Download