quasar | 783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f

Analysis

max time kernel
145s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe
Size

2.7MB
MD5

371d95abce192df7ac5648f4f954c456
SHA1

f243994c2906525292b44b40e78aa0358589592f
SHA256

783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f
SHA512

6ef6bf42d47e3a5b4995ddd985c6726ffd1883ecbbf3c71f62511abc7d20fde208cd0371a3bcff54c855c253e1d483dd8a9ed2b661d734df3ac526a9514b3979
SSDEEP

49152:uc4IZF1R2mztVOo6Ol9ureHIge8lDNlMdCKaGv2LkmNKUSW:uc4IZvR2mztVOo6Ol9uriIge8lP

Score

10^/10

quasar serviceone spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

serviceone

serviceofflineupdate.ddnsgeek.com:4782

Mutex

17af5434-027b-475c-85b6-fca637f3330d

Attributes

encryption_key
F5275112E106580A140655595766AE270983F72B
install_name
Chrome.exe
log_directory
Logs
reconnect_delay
6000
startup_key
chrome update
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-1-0x0000000000390000-0x0000000000652000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe	family_quasar
behavioral1/memory/2292-9-0x0000000000A00000-0x0000000000CC2000-memory.dmp	family_quasar
behavioral1/memory/2480-23-0x0000000000FE0000-0x00000000012A2000-memory.dmp	family_quasar
behavioral1/memory/2652-34-0x0000000001220000-0x00000000014E2000-memory.dmp	family_quasar
behavioral1/memory/1316-46-0x00000000003F0000-0x00000000006B2000-memory.dmp	family_quasar
behavioral1/memory/1168-57-0x0000000000970000-0x0000000000C32000-memory.dmp	family_quasar
behavioral1/memory/2252-70-0x0000000000130000-0x00000000003F2000-memory.dmp	family_quasar
behavioral1/memory/608-81-0x00000000012A0000-0x0000000001562000-memory.dmp	family_quasar
behavioral1/memory/2068-138-0x00000000000E0000-0x00000000003A2000-memory.dmp	family_quasar
behavioral1/memory/2228-150-0x0000000000E10000-0x00000000010D2000-memory.dmp	family_quasar
behavioral1/memory/276-162-0x00000000012F0000-0x00000000015B2000-memory.dmp	family_quasar

Detects Windows executables referencing non-Windows User-Agents 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-1-0x0000000000390000-0x0000000000652000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2292-9-0x0000000000A00000-0x0000000000CC2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2480-23-0x0000000000FE0000-0x00000000012A2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2652-34-0x0000000001220000-0x00000000014E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1316-46-0x00000000003F0000-0x00000000006B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1168-57-0x0000000000970000-0x0000000000C32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2252-70-0x0000000000130000-0x00000000003F2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/608-81-0x00000000012A0000-0x0000000001562000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2068-138-0x00000000000E0000-0x00000000003A2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2228-150-0x0000000000E10000-0x00000000010D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/276-162-0x00000000012F0000-0x00000000015B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-1-0x0000000000390000-0x0000000000652000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2292-9-0x0000000000A00000-0x0000000000CC2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2480-23-0x0000000000FE0000-0x00000000012A2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2652-34-0x0000000001220000-0x00000000014E2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1316-46-0x00000000003F0000-0x00000000006B2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1168-57-0x0000000000970000-0x0000000000C32000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2252-70-0x0000000000130000-0x00000000003F2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/608-81-0x00000000012A0000-0x0000000001562000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2068-138-0x00000000000E0000-0x00000000003A2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2228-150-0x0000000000E10000-0x00000000010D2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/276-162-0x00000000012F0000-0x00000000015B2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing common artifacts observed in infostealers 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-1-0x0000000000390000-0x0000000000652000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2292-9-0x0000000000A00000-0x0000000000CC2000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2480-23-0x0000000000FE0000-0x00000000012A2000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2652-34-0x0000000001220000-0x00000000014E2000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/1316-46-0x00000000003F0000-0x00000000006B2000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/1168-57-0x0000000000970000-0x0000000000C32000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2252-70-0x0000000000130000-0x00000000003F2000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/608-81-0x00000000012A0000-0x0000000001562000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2068-138-0x00000000000E0000-0x00000000003A2000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2228-150-0x0000000000E10000-0x00000000010D2000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/276-162-0x00000000012F0000-0x00000000015B2000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer

Executes dropped EXE 15 IoCs

Processes:

Chrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exe

pid	process
2292	Chrome.exe
2480	Chrome.exe
2652	Chrome.exe
1316	Chrome.exe
1168	Chrome.exe
2252	Chrome.exe
608	Chrome.exe
2680	Chrome.exe
2816	Chrome.exe
1920	Chrome.exe
1136	Chrome.exe
2068	Chrome.exe
2228	Chrome.exe
276	Chrome.exe
2416	Chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

1544 PING.EXE
2724 PING.EXE
1148 PING.EXE
2428 PING.EXE
2532 PING.EXE
1400 PING.EXE
1656 PING.EXE
1148 PING.EXE
2288 PING.EXE
1048 PING.EXE
2032 PING.EXE
1608 PING.EXE
688 PING.EXE
1720 PING.EXE
2512 PING.EXE

pid	process
1544	PING.EXE
2724	PING.EXE
1148	PING.EXE
2428	PING.EXE
2532	PING.EXE
1400	PING.EXE
1656	PING.EXE
1148	PING.EXE
2288	PING.EXE
1048	PING.EXE
2032	PING.EXE
1608	PING.EXE
688	PING.EXE
1720	PING.EXE
2512	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2504	schtasks.exe
2804	schtasks.exe
2096	schtasks.exe
2348	schtasks.exe
2680	schtasks.exe
1856	schtasks.exe
1796	schtasks.exe
616	schtasks.exe
3060	schtasks.exe
1404	schtasks.exe
1676	schtasks.exe
2588	schtasks.exe
276	schtasks.exe
1404	schtasks.exe
1268	schtasks.exe
1112	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exe

description	pid	process
Token: SeDebugPrivilege	2748	783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe
Token: SeDebugPrivilege	2292	Chrome.exe
Token: SeDebugPrivilege	2480	Chrome.exe
Token: SeDebugPrivilege	2652	Chrome.exe
Token: SeDebugPrivilege	1316	Chrome.exe
Token: SeDebugPrivilege	1168	Chrome.exe
Token: SeDebugPrivilege	2252	Chrome.exe
Token: SeDebugPrivilege	608	Chrome.exe
Token: SeDebugPrivilege	2680	Chrome.exe
Token: SeDebugPrivilege	2816	Chrome.exe
Token: SeDebugPrivilege	1920	Chrome.exe
Token: SeDebugPrivilege	1136	Chrome.exe
Token: SeDebugPrivilege	2068	Chrome.exe
Token: SeDebugPrivilege	2228	Chrome.exe
Token: SeDebugPrivilege	276	Chrome.exe
Token: SeDebugPrivilege	2416	Chrome.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

Chrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exe

pid	process
2292	Chrome.exe
2480	Chrome.exe
2652	Chrome.exe
1316	Chrome.exe
1168	Chrome.exe
2252	Chrome.exe
608	Chrome.exe
2680	Chrome.exe
2816	Chrome.exe
1920	Chrome.exe
1136	Chrome.exe
2068	Chrome.exe
2228	Chrome.exe
276	Chrome.exe
2416	Chrome.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

Chrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exe

pid	process
2292	Chrome.exe
2480	Chrome.exe
2652	Chrome.exe
1316	Chrome.exe
1168	Chrome.exe
2252	Chrome.exe
608	Chrome.exe
2680	Chrome.exe
2816	Chrome.exe
1920	Chrome.exe
1136	Chrome.exe
2068	Chrome.exe
2228	Chrome.exe
276	Chrome.exe
2416	Chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exeChrome.execmd.exeChrome.execmd.exeChrome.execmd.exeChrome.execmd.exe

description	pid	process	target process
PID 2748 wrote to memory of 3060	2748	783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe	schtasks.exe
PID 2748 wrote to memory of 3060	2748	783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe	schtasks.exe
PID 2748 wrote to memory of 3060	2748	783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe	schtasks.exe
PID 2748 wrote to memory of 2292	2748	783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe	Chrome.exe
PID 2748 wrote to memory of 2292	2748	783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe	Chrome.exe
PID 2748 wrote to memory of 2292	2748	783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe	Chrome.exe
PID 2292 wrote to memory of 2680	2292	Chrome.exe	schtasks.exe
PID 2292 wrote to memory of 2680	2292	Chrome.exe	schtasks.exe
PID 2292 wrote to memory of 2680	2292	Chrome.exe	schtasks.exe
PID 2292 wrote to memory of 2496	2292	Chrome.exe	cmd.exe
PID 2292 wrote to memory of 2496	2292	Chrome.exe	cmd.exe
PID 2292 wrote to memory of 2496	2292	Chrome.exe	cmd.exe
PID 2496 wrote to memory of 2508	2496	cmd.exe	chcp.com
PID 2496 wrote to memory of 2508	2496	cmd.exe	chcp.com
PID 2496 wrote to memory of 2508	2496	cmd.exe	chcp.com
PID 2496 wrote to memory of 2288	2496	cmd.exe	PING.EXE
PID 2496 wrote to memory of 2288	2496	cmd.exe	PING.EXE
PID 2496 wrote to memory of 2288	2496	cmd.exe	PING.EXE
PID 2496 wrote to memory of 2480	2496	cmd.exe	Chrome.exe
PID 2496 wrote to memory of 2480	2496	cmd.exe	Chrome.exe
PID 2496 wrote to memory of 2480	2496	cmd.exe	Chrome.exe
PID 2480 wrote to memory of 2588	2480	Chrome.exe	schtasks.exe
PID 2480 wrote to memory of 2588	2480	Chrome.exe	schtasks.exe
PID 2480 wrote to memory of 2588	2480	Chrome.exe	schtasks.exe
PID 2480 wrote to memory of 816	2480	Chrome.exe	cmd.exe
PID 2480 wrote to memory of 816	2480	Chrome.exe	cmd.exe
PID 2480 wrote to memory of 816	2480	Chrome.exe	cmd.exe
PID 816 wrote to memory of 2052	816	cmd.exe	chcp.com
PID 816 wrote to memory of 2052	816	cmd.exe	chcp.com
PID 816 wrote to memory of 2052	816	cmd.exe	chcp.com
PID 816 wrote to memory of 1048	816	cmd.exe	PING.EXE
PID 816 wrote to memory of 1048	816	cmd.exe	PING.EXE
PID 816 wrote to memory of 1048	816	cmd.exe	PING.EXE
PID 816 wrote to memory of 2652	816	cmd.exe	Chrome.exe
PID 816 wrote to memory of 2652	816	cmd.exe	Chrome.exe
PID 816 wrote to memory of 2652	816	cmd.exe	Chrome.exe
PID 2652 wrote to memory of 1404	2652	Chrome.exe	schtasks.exe
PID 2652 wrote to memory of 1404	2652	Chrome.exe	schtasks.exe
PID 2652 wrote to memory of 1404	2652	Chrome.exe	schtasks.exe
PID 2652 wrote to memory of 2992	2652	Chrome.exe	cmd.exe
PID 2652 wrote to memory of 2992	2652	Chrome.exe	cmd.exe
PID 2652 wrote to memory of 2992	2652	Chrome.exe	cmd.exe
PID 2992 wrote to memory of 1832	2992	cmd.exe	chcp.com
PID 2992 wrote to memory of 1832	2992	cmd.exe	chcp.com
PID 2992 wrote to memory of 1832	2992	cmd.exe	chcp.com
PID 2992 wrote to memory of 1656	2992	cmd.exe	PING.EXE
PID 2992 wrote to memory of 1656	2992	cmd.exe	PING.EXE
PID 2992 wrote to memory of 1656	2992	cmd.exe	PING.EXE
PID 2992 wrote to memory of 1316	2992	cmd.exe	Chrome.exe
PID 2992 wrote to memory of 1316	2992	cmd.exe	Chrome.exe
PID 2992 wrote to memory of 1316	2992	cmd.exe	Chrome.exe
PID 1316 wrote to memory of 1676	1316	Chrome.exe	schtasks.exe
PID 1316 wrote to memory of 1676	1316	Chrome.exe	schtasks.exe
PID 1316 wrote to memory of 1676	1316	Chrome.exe	schtasks.exe
PID 1316 wrote to memory of 2224	1316	Chrome.exe	cmd.exe
PID 1316 wrote to memory of 2224	1316	Chrome.exe	cmd.exe
PID 1316 wrote to memory of 2224	1316	Chrome.exe	cmd.exe
PID 2224 wrote to memory of 2256	2224	cmd.exe	chcp.com
PID 2224 wrote to memory of 2256	2224	cmd.exe	chcp.com
PID 2224 wrote to memory of 2256	2224	cmd.exe	chcp.com
PID 2224 wrote to memory of 2724	2224	cmd.exe	PING.EXE
PID 2224 wrote to memory of 2724	2224	cmd.exe	PING.EXE
PID 2224 wrote to memory of 2724	2224	cmd.exe	PING.EXE
PID 2224 wrote to memory of 1168	2224	cmd.exe	Chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe
"C:\Users\Admin\AppData\Local\Temp\783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LsrtuTJmi1FK.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2508

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2288

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\InhfenU8JAfJ.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2052

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1048

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\g0BsNh9cDl06.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:1832

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1656

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iaFFdeVXXHdO.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:2256

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2724

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1168

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\s0QhP01fgvkG.bat" "
11⤵
PID:1912

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:1880

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1148

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2252

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qAyJPn6ANSWO.bat" "
13⤵
PID:2392

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:1072

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2032

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:608

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGI70wQv7lUH.bat" "
15⤵
PID:2156

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:1504

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2428

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\No8Wdtp3fgnI.bat" "
17⤵
PID:772

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:1052

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2532

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rNuhqAYeFE4K.bat" "
19⤵
PID:2568

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2196

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1400

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\r1SrzTZdJSsu.bat" "
21⤵
PID:2268

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:1628

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1608

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1136

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QicNfuvz1TYb.bat" "
23⤵
PID:1292

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:112

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:688

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2068

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XO0gwH76xen0.bat" "
25⤵
PID:1936

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:332

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1148

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2228

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
27⤵
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7yiMtH7sojPx.bat" "
27⤵
PID:2184

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:2404

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1544

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:276

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
29⤵
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\d3dVFMipGxkG.bat" "
29⤵
PID:1756

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:2432

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:1720

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2416

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
31⤵
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KU80Ni7j70qQ.bat" "
31⤵
PID:2720

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:2632

C:\Windows\system32\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:2512

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7yiMtH7sojPx.bat
Filesize
207B

MD5
f6f93bca446f866291637ffeffb5d08a

SHA1
d97fe373c35feac8ba409a45bf9aa31d216a74f8

SHA256
59355b87ab020bafd712f34ff954f4c9f0dc87c17f927beab042aa9df13032ce

SHA512
75b963f19b5665f67d6842af0a4a44e4bec9e596d745362180645cdbaad6d853f44c13bd35b978e1848ed89e92d997cd1f25bc12039e0811f3737ad502c5fdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGI70wQv7lUH.bat
Filesize
207B

MD5
9f529a1a8f4fec9c1717a62f5adfdfed

SHA1
a753c07923a9840f64d3dc73790f7b20f08b1efd

SHA256
8d696cf6bd541fedf5edadaeac85aba7191f1044ac0991d229079247b590dcc7

SHA512
614126a58e668604a51baa3db8bc3d4b8ce5a3b175e6fdcef19bb6f5b81a52f5376a4be687c6660802d3fbf9011bc0756df70527a8c613d0d381cf86a178b7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\InhfenU8JAfJ.bat
Filesize
207B

MD5
c057370cf84ad5ab03a6a1f2310a4630

SHA1
f27042d133beb1ef7496e38c9cf9dc34d1c02ece

SHA256
6d37298877193e716f987bf2df0b49137bf050f33a1f6d4e556d5daef09b1a2e

SHA512
328052907c99473c5e25068ea1fd935a61457de744efb70edb891204bf57663170fc0cfe2561927216546e1021abee05ecceffd235f51a5f45438736563965aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\KU80Ni7j70qQ.bat
Filesize
207B

MD5
5b66b5c45597fa1742ec268098c2a0a5

SHA1
51d8370cf1b8efc31ac1c6e5e6f39448239eb05e

SHA256
e99c53b5dedd2ee3d8df2f75cc113dfeac0b90a71f927cb320400b4c7779f47a

SHA512
864aa1c4e87f108dc541bdd39090461da1ec7287e9f5a2d2b74544a6b3d11a91f252dd880131f988da2346d98d242b1056869a5c1ba06678e0a062bf0b7d171c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsrtuTJmi1FK.bat
Filesize
207B

MD5
0a728e063f6bda644b7bfac997bd37f5

SHA1
461cbda58974f3e0fdfb9b618dbda9ee36ca57bb

SHA256
0927d7663ddc3262407b1c8f400064c35c511017660c21d46a229e2d314c7f25

SHA512
0c15ca18f6e93e073c8a18d71b27f44541671d043037a1f05c167d990a463f2f79a60f93f65163fc7842ff9c4528e1532864154446b80373c2db5a38702808ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\No8Wdtp3fgnI.bat
Filesize
207B

MD5
c476cdcd50f39b6a47f98099061f9942

SHA1
737e0f41632e1d20aaf3f835f874c526a3ad780f

SHA256
4e0f89ce731090c81064afdcc64d046237749e7e2efd30bb87f220e685b44258

SHA512
625b5bfdb18fe5b3c5cc10b187f45ad75bda7f50859d9c36f5868080cc7ff345412095747e5ab59ffa9870302bd1331bd6eacf1fd52a225df3c34447ce12f371

Download Submit
C:\Users\Admin\AppData\Local\Temp\QicNfuvz1TYb.bat
Filesize
207B

MD5
4cfd1a46153062b7b1859da087941891

SHA1
670c0eb9133e358ed14bdf7c283dc3fd6e709504

SHA256
43e70448246114948eab1c79ee31dce5d3ef0b7c5153f6deba6922a2a9eba0d1

SHA512
8d6ca84b4b716874afb6be29b68f48ddd02869749deb9da6869d77b4f3254717232e37d837a7d8ae950c1ee03b38a3fc64222f139929ffc0f169a2ceab9ab92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XO0gwH76xen0.bat
Filesize
207B

MD5
36a2dcb716da812a3bf160fc00fda211

SHA1
eba57da3b49c8b99bf073c3e0bf9b6e57e96fe43

SHA256
2b1ceaceaac98ddeb9cfbc9809b2396382df169f25329a0f753af394b11bbf98

SHA512
5043c318417385dc4e5e1af7575a92e362a9cae708dd29568b5429c898dc3819825b69492ba09f92c2b8b33b202a4a64185b254911b459622d9b4a8337b0a272

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3dVFMipGxkG.bat
Filesize
207B

MD5
97c5530bd4b10459847416bc7571cfca

SHA1
c2300d55bde6cbb9f9e538b8dc8cb9d5dd9317e9

SHA256
5a15564ae1fb48f9004cc193a7c0dcbabcf181f4d7543d79a49750cd399646a6

SHA512
fc14cf06030af140c83638bc0102bd50174747dd79f54bcbe164febb639eee1ff5b238ec68f6f79aeb8de774b8bcf3238d07bf325298b8bc11086cee617a3546

Download Submit
C:\Users\Admin\AppData\Local\Temp\g0BsNh9cDl06.bat
Filesize
207B

MD5
39408b016253aede3a9750c9ade1d470

SHA1
5f9a05d54e5bcfbbf2a4ccb01d289b761842ea9b

SHA256
62acd4b26acbabbc1159ef41fd274286bccf636dc8a2248f3345eddad87633e0

SHA512
0c71950469b30f4ad358bc1d09a4300fd62341fd3c5b105fa78f9f3edf8532f2df65a404e30c2dd1d5f80297ad1c613c228efdce0da5452fee32b115f8336d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\iaFFdeVXXHdO.bat
Filesize
207B

MD5
6efe4a45877efe2d983e00f76d26084d

SHA1
c27373eacac130e77086d525da0d05e7e4802bc9

SHA256
b26b844234d4f2e2c5241e674927b2a1928763267595e70a4a6c529f90615ef2

SHA512
216bd5cb77b0509f3b95a5f57bdb90e75f02e507a43d3aa4c90f14ac1771a255a23da1f1bca73c354eebae1f81d101fc36d97c7cb58063ebcc62eabd568f1ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAyJPn6ANSWO.bat
Filesize
207B

MD5
4bc1cbd90f8e60a714d70c10948dfdab

SHA1
3fc20fbe7aa14509477b8afae5860ca1f2a6eefd

SHA256
dcbf5cdb6b454e10ad030fc4e99ac235c340f096af890a597fb0075d0420055f

SHA512
d2808d87b7c021d05780b4c09c22d94431090046a576ef8b3ba99214bcf495c575aa889c5aee73f9237e0f37fa90c97374f9a4698def05e8536db3dfae091b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\r1SrzTZdJSsu.bat
Filesize
207B

MD5
804586aacc4f9013e83e09ff15121eaa

SHA1
feac939c6b4c7e976061cb673763e52158cfcb24

SHA256
c537d5d0342e9139856f4f29f2cb268e5f4efbbdeea014650cc28a78266ff5d6

SHA512
1e1115ca02c12fde5dd095212fb59e3dab8ec49f55d98ad87e0ddb97bef74df70317a039afb3d168c389f837f339ae63cad40eb77cbec9b23e13e98e126eb2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rNuhqAYeFE4K.bat
Filesize
207B

MD5
26f0d4acd7ae11f83c6794db81e376d0

SHA1
c1781d922ee27003db5d312971fc7b34f412a8ea

SHA256
784d056c5520423cc893fb2c4f003f200a4f265e8ae5a01bb0b4f9d040a2e14c

SHA512
ff8bdf767ab6a0d4dad404d4e87abf731f4c476e40c3eef9a0e17080586ed082230017ed7a74957629b95f9150afaa7d38195d79932c0671a39be02c50694f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\s0QhP01fgvkG.bat
Filesize
207B

MD5
b7ab67376119fc65ca4f6277ea94c770

SHA1
149fe11a1cc76f18f6902507e652bade5992b8dd

SHA256
32eadea7cab4743e0b690fbfb549fec2ef98b0a02bf9b5faaeaf282b922ef8b3

SHA512
92f1080a0648906f2d0a7fa0a8ea805ae91add5baae53cf06649d795b1420c95701d1fd6986f957622b01dfacc1701a23ed901d07f9074832c2eb45f72a31d87

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
Filesize
2.7MB

MD5
371d95abce192df7ac5648f4f954c456

SHA1
f243994c2906525292b44b40e78aa0358589592f

SHA256
783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f

SHA512
6ef6bf42d47e3a5b4995ddd985c6726ffd1883ecbbf3c71f62511abc7d20fde208cd0371a3bcff54c855c253e1d483dd8a9ed2b661d734df3ac526a9514b3979

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/276-162-0x00000000012F0000-0x00000000015B2000-memory.dmp

Filesize
2.8MB

Download
memory/608-81-0x00000000012A0000-0x0000000001562000-memory.dmp

Filesize
2.8MB

Download
memory/1168-57-0x0000000000970000-0x0000000000C32000-memory.dmp

Filesize
2.8MB

Download
memory/1316-46-0x00000000003F0000-0x00000000006B2000-memory.dmp

Filesize
2.8MB

Download
memory/2068-138-0x00000000000E0000-0x00000000003A2000-memory.dmp

Filesize
2.8MB

Download
memory/2228-150-0x0000000000E10000-0x00000000010D2000-memory.dmp

Filesize
2.8MB

Download
memory/2252-70-0x0000000000130000-0x00000000003F2000-memory.dmp

Filesize
2.8MB

Download
memory/2292-9-0x0000000000A00000-0x0000000000CC2000-memory.dmp

Filesize
2.8MB

Download
memory/2292-11-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-21-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-8-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2480-23-0x0000000000FE0000-0x00000000012A2000-memory.dmp

Filesize
2.8MB

Download
memory/2652-34-0x0000000001220000-0x00000000014E2000-memory.dmp

Filesize
2.8MB

Download
memory/2748-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/2748-10-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-2-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-1-0x0000000000390000-0x0000000000652000-memory.dmp

Filesize
2.8MB

Download