quasar | 5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe
Size

349KB
MD5

94cb4509fbc7d4a000a35094532b2dc6
SHA1

e3a609c58c08a2d34f6f384b40dcf5df0c361c39
SHA256

5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
SHA512

7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Score

10^/10

quasar matei spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Matei

getrektscrub.hopto.org:4782

Mutex

QSR_MUTEX_KkiFVxzP7AThmUYEE7

Attributes

encryption_key
g4oiMoBrx37SHLCg4wcA
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

pid process

2084 schtasks.exe
4 ip-api.com
15 api.ipify.org
27 api.ipify.org

pid	process
2084	schtasks.exe
4	ip-api.com
15	api.ipify.org
27	api.ipify.org

Quasar payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4876-130-0x0000000000550000-0x00000000005AE000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar

suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
suricata
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata

Executes dropped EXE 10 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2232	svchost.exe
4972	svchost.exe
3200	svchost.exe
4932	svchost.exe
400	svchost.exe
1456	svchost.exe
4040	svchost.exe
3672	svchost.exe
3140	svchost.exe
2264	svchost.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	svchost.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 api.ipify.org
4 ip-api.com
15 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
27	api.ipify.org
4	ip-api.com
15	api.ipify.org

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4756	2232	WerFault.exe	svchost.exe
3452	4972	WerFault.exe	svchost.exe
716	3200	WerFault.exe	svchost.exe
1996	4932	WerFault.exe	svchost.exe
4084	400	WerFault.exe	svchost.exe
4756	1456	WerFault.exe	svchost.exe
1340	4040	WerFault.exe	svchost.exe
1964	3672	WerFault.exe	svchost.exe
3764	3140	WerFault.exe	svchost.exe
3456	2264	WerFault.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4952	schtasks.exe
2192	schtasks.exe
1088	schtasks.exe
2084	schtasks.exe
4056	schtasks.exe
2316	schtasks.exe
1108	schtasks.exe
496	schtasks.exe
3744	schtasks.exe
2184	schtasks.exe
3640	schtasks.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2192 PING.EXE
4564 PING.EXE
3752 PING.EXE
3740 PING.EXE
2532 PING.EXE
1300 PING.EXE
2248 PING.EXE
2520 PING.EXE
2528 PING.EXE
3784 PING.EXE

pid	process
2192	PING.EXE
4564	PING.EXE
3752	PING.EXE
3740	PING.EXE
2532	PING.EXE
1300	PING.EXE
2248	PING.EXE
2520	PING.EXE
2528	PING.EXE
3784	PING.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4876	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe
Token: SeDebugPrivilege	2232	svchost.exe
Token: SeDebugPrivilege	4972	svchost.exe
Token: SeDebugPrivilege	3200	svchost.exe
Token: SeDebugPrivilege	4932	svchost.exe
Token: SeDebugPrivilege	400	svchost.exe
Token: SeDebugPrivilege	1456	svchost.exe
Token: SeDebugPrivilege	4040	svchost.exe
Token: SeDebugPrivilege	3672	svchost.exe
Token: SeDebugPrivilege	3140	svchost.exe
Token: SeDebugPrivilege	2264	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2232	svchost.exe
4972	svchost.exe
3200	svchost.exe
4932	svchost.exe
400	svchost.exe
1456	svchost.exe
4040	svchost.exe
3672	svchost.exe
3140	svchost.exe
2264	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exesvchost.execmd.exesvchost.execmd.exesvchost.execmd.exesvchost.execmd.exe

description	pid	process	target process
PID 4876 wrote to memory of 2084	4876	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	schtasks.exe
PID 4876 wrote to memory of 2084	4876	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	schtasks.exe
PID 4876 wrote to memory of 2084	4876	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	schtasks.exe
PID 4876 wrote to memory of 2232	4876	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	svchost.exe
PID 4876 wrote to memory of 2232	4876	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	svchost.exe
PID 4876 wrote to memory of 2232	4876	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	svchost.exe
PID 2232 wrote to memory of 4056	2232	svchost.exe	schtasks.exe
PID 2232 wrote to memory of 4056	2232	svchost.exe	schtasks.exe
PID 2232 wrote to memory of 4056	2232	svchost.exe	schtasks.exe
PID 2232 wrote to memory of 4512	2232	svchost.exe	cmd.exe
PID 2232 wrote to memory of 4512	2232	svchost.exe	cmd.exe
PID 2232 wrote to memory of 4512	2232	svchost.exe	cmd.exe
PID 4512 wrote to memory of 4884	4512	cmd.exe	chcp.com
PID 4512 wrote to memory of 4884	4512	cmd.exe	chcp.com
PID 4512 wrote to memory of 4884	4512	cmd.exe	chcp.com
PID 4512 wrote to memory of 1300	4512	cmd.exe	PING.EXE
PID 4512 wrote to memory of 1300	4512	cmd.exe	PING.EXE
PID 4512 wrote to memory of 1300	4512	cmd.exe	PING.EXE
PID 4512 wrote to memory of 4972	4512	cmd.exe	svchost.exe
PID 4512 wrote to memory of 4972	4512	cmd.exe	svchost.exe
PID 4512 wrote to memory of 4972	4512	cmd.exe	svchost.exe
PID 4972 wrote to memory of 2316	4972	svchost.exe	schtasks.exe
PID 4972 wrote to memory of 2316	4972	svchost.exe	schtasks.exe
PID 4972 wrote to memory of 2316	4972	svchost.exe	schtasks.exe
PID 4972 wrote to memory of 3432	4972	svchost.exe	cmd.exe
PID 4972 wrote to memory of 3432	4972	svchost.exe	cmd.exe
PID 4972 wrote to memory of 3432	4972	svchost.exe	cmd.exe
PID 3432 wrote to memory of 3632	3432	cmd.exe	chcp.com
PID 3432 wrote to memory of 3632	3432	cmd.exe	chcp.com
PID 3432 wrote to memory of 3632	3432	cmd.exe	chcp.com
PID 3432 wrote to memory of 2192	3432	cmd.exe	PING.EXE
PID 3432 wrote to memory of 2192	3432	cmd.exe	PING.EXE
PID 3432 wrote to memory of 2192	3432	cmd.exe	PING.EXE
PID 3432 wrote to memory of 3200	3432	cmd.exe	svchost.exe
PID 3432 wrote to memory of 3200	3432	cmd.exe	svchost.exe
PID 3432 wrote to memory of 3200	3432	cmd.exe	svchost.exe
PID 3200 wrote to memory of 496	3200	svchost.exe	schtasks.exe
PID 3200 wrote to memory of 496	3200	svchost.exe	schtasks.exe
PID 3200 wrote to memory of 496	3200	svchost.exe	schtasks.exe
PID 3200 wrote to memory of 3796	3200	svchost.exe	cmd.exe
PID 3200 wrote to memory of 3796	3200	svchost.exe	cmd.exe
PID 3200 wrote to memory of 3796	3200	svchost.exe	cmd.exe
PID 3796 wrote to memory of 3212	3796	cmd.exe	chcp.com
PID 3796 wrote to memory of 3212	3796	cmd.exe	chcp.com
PID 3796 wrote to memory of 3212	3796	cmd.exe	chcp.com
PID 3796 wrote to memory of 4564	3796	cmd.exe	PING.EXE
PID 3796 wrote to memory of 4564	3796	cmd.exe	PING.EXE
PID 3796 wrote to memory of 4564	3796	cmd.exe	PING.EXE
PID 3796 wrote to memory of 4932	3796	cmd.exe	svchost.exe
PID 3796 wrote to memory of 4932	3796	cmd.exe	svchost.exe
PID 3796 wrote to memory of 4932	3796	cmd.exe	svchost.exe
PID 4932 wrote to memory of 3744	4932	svchost.exe	schtasks.exe
PID 4932 wrote to memory of 3744	4932	svchost.exe	schtasks.exe
PID 4932 wrote to memory of 3744	4932	svchost.exe	schtasks.exe
PID 4932 wrote to memory of 2112	4932	svchost.exe	cmd.exe
PID 4932 wrote to memory of 2112	4932	svchost.exe	cmd.exe
PID 4932 wrote to memory of 2112	4932	svchost.exe	cmd.exe
PID 2112 wrote to memory of 2032	2112	cmd.exe	chcp.com
PID 2112 wrote to memory of 2032	2112	cmd.exe	chcp.com
PID 2112 wrote to memory of 2032	2112	cmd.exe	chcp.com
PID 2112 wrote to memory of 2248	2112	cmd.exe	PING.EXE
PID 2112 wrote to memory of 2248	2112	cmd.exe	PING.EXE
PID 2112 wrote to memory of 2248	2112	cmd.exe	PING.EXE
PID 2112 wrote to memory of 400	2112	cmd.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe
"C:\Users\Admin\AppData\Local\Temp\5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:2084

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vX3MBBuJzCsB.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4884

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1300

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PM3nVv9EZhVw.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:3632

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2192

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouN69PuL0oyM.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:3212

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4564

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CzmzfZSy3yJM.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:2032

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2248

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:400

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0nA2CRLxaq7l.bat" "
11⤵
PID:3068

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1228

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3752

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
12⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p5jtVWp0ofp5.bat" "
13⤵
PID:4580

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4716

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2520

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
14⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jP5UaLUNYJEI.bat" "
15⤵
PID:4712

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:4500

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2528

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
16⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3672

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AVI6tFCK6HGC.bat" "
17⤵
PID:2104

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2316

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3784

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
18⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3140

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiBLCEnpVg7J.bat" "
19⤵
PID:1244

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2252

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:3740

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
20⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3ijMV2cEEDJ1.bat" "
21⤵
PID:2904

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:2632

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 2228
21⤵
- Program crash
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1964
19⤵
- Program crash
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 2208
17⤵
- Program crash
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 2208
15⤵
- Program crash
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1952
13⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 2208
11⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 2208
9⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 2212
7⤵
- Program crash
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 2252
5⤵
- Program crash
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1756
3⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2232 -ip 2232
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4972 -ip 4972
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3200 -ip 3200
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4932 -ip 4932
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 400 -ip 400
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1456 -ip 1456
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4040 -ip 4040
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3672 -ip 3672
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3140 -ip 3140
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2264 -ip 2264
1⤵
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0nA2CRLxaq7l.bat
Filesize
208B

MD5
cac6b713344a1b9fd19dc2752f35f1ec

SHA1
463d581c9664678f3e22d71a341d29d52f41a609

SHA256
694977ba609ca4d99bf8ae0d0a09fe8307a815e1977561bbfc4abbbdaeffe37f

SHA512
0f1f25c5c8337a928f80334020dc01276ad7406f8fb5778be35ce3ea04852df71bc355c951e4fa31d34df67e834f13c47c45496263187a3ca649f0d825c47889

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ijMV2cEEDJ1.bat
Filesize
208B

MD5
9a978b4e12bbe84800313813ef7b23d2

SHA1
99317d353b9d1154f4f34f4f13df5c1a72ec1d48

SHA256
16e7a63bf0457e3172c9326939e1ff484c5d792ab971bef13b82a4621274fc8f

SHA512
457e1e1315472d4c73449e781c12411aee45e9819ca08481f6ef053173a6b7aa539eefb5e27ea0e02cfc402a4a1b89dfc3aeb33ee50f85fe8cc76d38105a0eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AVI6tFCK6HGC.bat
Filesize
208B

MD5
7246cbec47a62d9b1eb0e0eb5b08f8a0

SHA1
607aa6e4e52910f2251e0580fe165000ba579d25

SHA256
f4cfda540f4113cafb6edf0638e36b337f5b288486263739ba889a87cd342bed

SHA512
4b43db0d5d31ae827f898f98beb6cffb0cf853c38fd40a9b6893bb3547a81ab320eb063eb17d3f34525b5c274afb60aed2ee45f402839a411a620966c89decf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CzmzfZSy3yJM.bat
Filesize
208B

MD5
7b1a6ea3b5126940ebcd4cb294eb700c

SHA1
de32bcbbf264c8983b9ae62559c6e118edc1ec4d

SHA256
e92aa09f1f14927caeee70183653ab990cb571cb7bb71fcb07254c2d904a8fd0

SHA512
e9aaebf440e80104fe4fc2566dc3080951d411d3602426bae0c79c53e7bcb760e382f0c5ab81a9018913259681ce1b007a27c98e59692d15581670c5b9f22bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PM3nVv9EZhVw.bat
Filesize
208B

MD5
6e06e970bb5c4ee2db68d364ac3dde04

SHA1
b4f1b06604b8d6176caa6d8b1c0aadadb58c3cfe

SHA256
68cef33b5844b661bce21392f047abc96c9b78391f1c0d911e1ff65169350dd4

SHA512
a7691ce4d7fa572d027eacc9c12e66e42bfc3e2d51a621817787bfc07ed7b5918fc48a64b97e3fa6b61e60e56366ec6e2edd501f14938ee58581ef560a314a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jP5UaLUNYJEI.bat
Filesize
208B

MD5
cdc87db5da9ae9c366c24b352f94cfcc

SHA1
79074a2a31774e077eac938c8f3284cd3703b29a

SHA256
cc84c352c983e3ead71a2a18657761eee967b8cae4699f649eb908d016f23008

SHA512
3468caed4dab48ef50f5a2d0f178b778ae4dac81c8fc5ca83e6674ddb53948263c20ce96182ccbe93db9107780282c5e57f05d0e0b36cb11aca3a481b9235886

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiBLCEnpVg7J.bat
Filesize
208B

MD5
d4edbe35e98572971fe9385c28e55d17

SHA1
fbb45acf5f247d5c2d786deab64cf10489613598

SHA256
06e0c01794c0a0b7c7af68a3dfa556c779447b7b3acb7a586004787fb8b571c3

SHA512
1b24f4e4212ca55c7517563cad1bc3299048d7390fc459dca51558870f1dd0ac730fe57c3038012449648a0748632d1e686fc645bd917c7df189d1d3f6df967b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ouN69PuL0oyM.bat
Filesize
208B

MD5
bda8071eb9915177b0e8a4eb7bd7414a

SHA1
ef16c9104b8bfc6b6c965d40c5ef1f6894d6cf4d

SHA256
f99e06de5b15a54fc07f112540df65e374e95a41907d37057f850a4d9f197553

SHA512
5fc8fc4e2343935cf2083620b4080e785ef324d0f2d89405880c7fd3443179c00533b3854a45b1192dfcefe0fbfbd0ebe07ac7d58ddfe00a00b1a34879a93402

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5jtVWp0ofp5.bat
Filesize
208B

MD5
713053952b4cc0a9a2f2c1d1b0b79d1e

SHA1
91d049606a2cf3748dca48bc5b87f195398a158c

SHA256
cf040873a3dfadbaedb5ef6146b5f0141515a2cfcdc7c1772cfd6d785bba63f5

SHA512
6e1e05de0619256c0a17307ecd71e72870abdf59ae25211a6cf7d364a55288c90f1b911b52b1c0d10639a4a10a1c7141404b6be3bf0ec5664290606a3ef0374d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vX3MBBuJzCsB.bat
Filesize
208B

MD5
2ca3eddfea7ad1297e04c5bb9a2144c9

SHA1
ad3632b831033fec0e3da01175c23e93c22d3774

SHA256
4b4028be57e2a93f7d8adf80202304002f88d066eb476289bafe58a50dbcc942

SHA512
e2f7782803da2f808ed5c851416f9d5f0114ed73aa2ff2f226ec3b0542867b8df0ffa637c562f2287942eb32d623b5a92052ca9e2b613ed12f14a48e89f473a3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-25-2022
Filesize
224B

MD5
2455f9567aa98d59033fc9fd8fb10e66

SHA1
10277884564d77b8e4ba18d5659da322171b04fa

SHA256
1d8aa70824f6fea4b2429c51888e124072e395c74b9ceddf93b8da5125a0f821

SHA512
7aba928a146b1fd00dd726cc7109a40a3734f799554c71bbf39b4323159db30810b93662c66ccbdf3c539741df660ac73312246424cb29cd5c07b71b256e8676

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-25-2022
Filesize
224B

MD5
688092132e1d7d9dcc90fb7f00594e82

SHA1
0c26aae5aa0a523996c81e0bb3eb0cd5ec236fd0

SHA256
e5c15dcf7c28dc48c4a0cdc1cd224e2fbfbb2dea5621ef6fc2cc2b6a22eb1a6a

SHA512
7c298e9ad2a1ac289d02886637e5f38ac47d516ad4055364d4d226d311d6c3291c0700bce0f71e52c741a99e02babcf7127d2e0dc61218fd7951490139e45ea0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-25-2022
Filesize
224B

MD5
b6930a2ce2406d6ea5b320f444f6b74f

SHA1
fb508eaa5938982ae1361278f2e967f1c3167267

SHA256
7ca2b25b360af7b76d8e1e51535ad36ba53debcf04f9c39a75f6a16d057c5b15

SHA512
6612ade1514cb3c8daa3a29bdd05b21cc8ad26b9c968ba94ede793a527dedd6c01a8f21474f325353f2d1f22fa21649bc8f5a60599e8dfabb4daffce80f5face

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-25-2022
Filesize
224B

MD5
3ee2c21f099bbec2547fcedbae3faad6

SHA1
e5683d5ddde6d1a4f161f28d1deaa9e5f4b42128

SHA256
6a154ea7ce97f6164113dde31db55ccd2284c5b27757d71912542a54f1e5396b

SHA512
fab493122064f9f227fefc011b4f13e04c9137bd5eb2942f6ca254a4b7191d0f17fac1c3f9c431134264246a017b7d9bb54f9b04104edd34730047885afedabb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-25-2022
Filesize
224B

MD5
10ee64f213f15a5f9f1c177a89f07a34

SHA1
9cd47dfe96a3e61ef3a630f96d03030ee86d8f69

SHA256
777cace6c24945282ab627ca20c1280bd822cecbe6d618656a50e3308132b6dd

SHA512
c120a31ed3050f40882a3a4b9123f9c3f9e52a37bb3affadc6ed7db94c76d872ee769edc5cfcc3981d00f933cd813ccc431644f00afbaad2e879bac425d7fb76

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-25-2022
Filesize
224B

MD5
7b95b21ce3b5b38109bf9ab45ed7f1b5

SHA1
6835fb870cb47b6d13822cfc0cef09f07928e008

SHA256
47007811a3832c0ba6150b27b561022914748f1f743c977e6181cbd6e0948ac4

SHA512
26e81b33972a8c79b83e5859d1dcf3a39aa5f03d22ccb35c1deffaa5aeaaac97241a223a79602ea6e7d7e6615fb4821d8661100e30a94cc7bbde0d2e4a21d59b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-25-2022
Filesize
224B

MD5
974e1c8bab540804ff3b4ab7dcadcc41

SHA1
d0476d501e8321160ed039b553cb836f54ae05be

SHA256
d6ccb97dca85e4af6af14d4be33fbd65aab5432f360bb44258a2e0a9ffc00e24

SHA512
6524f753a084daf6d80bb381a2e4a0c845b2c66418a6acd1cf3a48181954fbe099d0f575b617ae7f1dbf5d65f3b1bec579784f0deb0b9c3b716f21375f08fdec

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-25-2022
Filesize
224B

MD5
b5bae0f91c3825524fccf4909e60a6e2

SHA1
462e67c1252a80e6f71c0da722c5a52f7443745c

SHA256
98b40f7a0f99a85cb399b33dfbde30bfd1999083c8c29277e62ff50655099235

SHA512
4d997a72b94f35d5a787bfbfda01d35cdc3020426cd1778c0d5ed0888beb2aff1a5d0d57d2c778cf42bbbd6efc47056120159cd85eb91977ac78d3a7f84704dc

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-25-2022
Filesize
224B

MD5
ff17aee5e7f85f1c098dbf4df9b724c0

SHA1
a4d1d9d3c7a5360fbd9e81e192d90fb2ebc2270b

SHA256
5a152ca57970e4fd1a7d851ea5b067dde2ce2abbb6a667db4e7672de4d556d67

SHA512
bbb42f8b7bc235e3ee528e24bec7e79db33c746129a9e4ce21c5a6782d2733559c2132e9a8e5785362a46c82a52204207847e6f5c4b3165c60c009069c5f3c62

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
memory/400-170-0x0000000000000000-mapping.dmp

Download
memory/496-156-0x0000000000000000-mapping.dmp

Download
memory/1088-212-0x0000000000000000-mapping.dmp

Download
memory/1108-172-0x0000000000000000-mapping.dmp

Download
memory/1228-176-0x0000000000000000-mapping.dmp

Download
memory/1244-206-0x0000000000000000-mapping.dmp

Download
memory/1300-145-0x0000000000000000-mapping.dmp

Download
memory/1456-178-0x0000000000000000-mapping.dmp

Download
memory/2032-168-0x0000000000000000-mapping.dmp

Download
memory/2084-136-0x0000000000000000-mapping.dmp

Download
memory/2104-198-0x0000000000000000-mapping.dmp

Download
memory/2112-166-0x0000000000000000-mapping.dmp

Download
memory/2184-180-0x0000000000000000-mapping.dmp

Download
memory/2192-153-0x0000000000000000-mapping.dmp

Download
memory/2192-204-0x0000000000000000-mapping.dmp

Download
memory/2232-141-0x0000000007120000-0x000000000712A000-memory.dmp

Filesize
40KB

Download
memory/2232-137-0x0000000000000000-mapping.dmp

Download
memory/2248-169-0x0000000000000000-mapping.dmp

Download
memory/2252-208-0x0000000000000000-mapping.dmp

Download
memory/2264-210-0x0000000000000000-mapping.dmp

Download
memory/2316-200-0x0000000000000000-mapping.dmp

Download
memory/2316-148-0x0000000000000000-mapping.dmp

Download
memory/2520-185-0x0000000000000000-mapping.dmp

Download
memory/2528-193-0x0000000000000000-mapping.dmp

Download
memory/2532-217-0x0000000000000000-mapping.dmp

Download
memory/2632-216-0x0000000000000000-mapping.dmp

Download
memory/2904-214-0x0000000000000000-mapping.dmp

Download
memory/3068-174-0x0000000000000000-mapping.dmp

Download
memory/3140-202-0x0000000000000000-mapping.dmp

Download
memory/3200-154-0x0000000000000000-mapping.dmp

Download
memory/3212-160-0x0000000000000000-mapping.dmp

Download
memory/3432-150-0x0000000000000000-mapping.dmp

Download
memory/3632-152-0x0000000000000000-mapping.dmp

Download
memory/3640-196-0x0000000000000000-mapping.dmp

Download
memory/3672-194-0x0000000000000000-mapping.dmp

Download
memory/3740-209-0x0000000000000000-mapping.dmp

Download
memory/3744-164-0x0000000000000000-mapping.dmp

Download
memory/3752-177-0x0000000000000000-mapping.dmp

Download
memory/3784-201-0x0000000000000000-mapping.dmp

Download
memory/3796-158-0x0000000000000000-mapping.dmp

Download
memory/4040-186-0x0000000000000000-mapping.dmp

Download
memory/4056-140-0x0000000000000000-mapping.dmp

Download
memory/4500-192-0x0000000000000000-mapping.dmp

Download
memory/4512-142-0x0000000000000000-mapping.dmp

Download
memory/4564-161-0x0000000000000000-mapping.dmp

Download
memory/4580-182-0x0000000000000000-mapping.dmp

Download
memory/4712-190-0x0000000000000000-mapping.dmp

Download
memory/4716-184-0x0000000000000000-mapping.dmp

Download
memory/4876-135-0x00000000063B0000-0x00000000063EC000-memory.dmp

Filesize
240KB

Download
memory/4876-130-0x0000000000550000-0x00000000005AE000-memory.dmp

Filesize
376KB

Download
memory/4876-134-0x0000000005F90000-0x0000000005FA2000-memory.dmp

Filesize
72KB

Download
memory/4876-133-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/4876-132-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/4876-131-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/4884-144-0x0000000000000000-mapping.dmp

Download
memory/4932-162-0x0000000000000000-mapping.dmp

Download
memory/4952-188-0x0000000000000000-mapping.dmp

Download
memory/4972-146-0x0000000000000000-mapping.dmp

Download