quasar | e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2023 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

84196815c135e19db65295a1cea9a522
SHA1

fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256

e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA512

3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
SSDEEP

49152:7vWhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaYiRJ6TbR3LoGdjTHHB72eh2NT:7v4t2d5aKCuVPzlEmVQ0wvwfYiRJ6F

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

slave

cherrywoods-29890.portmap.host:29890:16243

Mutex

5d49d039-8bce-40c5-82b6-413e6ca1279a

Attributes

encryption_key
2E34CBDFC0A612A970A99A781D3AB0C010E1A59C
install_name
cvvhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security notification icon
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1132-0-0x00000000007D0000-0x0000000000AF4000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\system32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe

Executes dropped EXE 12 IoCs

Processes:

cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

pid	process
3204	cvvhost.exe
4668	cvvhost.exe
5100	cvvhost.exe
5060	cvvhost.exe
4152	cvvhost.exe
1700	cvvhost.exe
4800	cvvhost.exe
4820	cvvhost.exe
3660	cvvhost.exe
1560	cvvhost.exe
4556	cvvhost.exe
3320	cvvhost.exe

Drops file in System32 directory 27 IoCs

Processes:

cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exeClient-built.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File created	C:\Windows\system32\SubDir\cvvhost.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1532	schtasks.exe
3672	schtasks.exe
4480	schtasks.exe
2212	schtasks.exe
1268	schtasks.exe
1676	schtasks.exe
1508	schtasks.exe
1288	schtasks.exe
1352	schtasks.exe
4016	schtasks.exe
4144	schtasks.exe
3956	schtasks.exe
2724	schtasks.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4300	PING.EXE
4648	PING.EXE
2776	PING.EXE
880	PING.EXE
2704	PING.EXE
3656	PING.EXE
4132	PING.EXE
1912	PING.EXE
1056	PING.EXE
2160	PING.EXE
2984	PING.EXE
1732	PING.EXE

Suspicious behavior: LoadsDriver 14 IoCs

Processes:

pid

4
4
4
4
4
676
4
4
4
4
4
4
4
4

pid
4
4
4
4
4
676
4
4
4
4
4
4
4
4

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

Client-built.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

description	pid	process
Token: SeDebugPrivilege	1132	Client-built.exe
Token: SeDebugPrivilege	3204	cvvhost.exe
Token: SeDebugPrivilege	4668	cvvhost.exe
Token: SeDebugPrivilege	5100	cvvhost.exe
Token: SeDebugPrivilege	5060	cvvhost.exe
Token: SeDebugPrivilege	4152	cvvhost.exe
Token: SeDebugPrivilege	1700	cvvhost.exe
Token: SeDebugPrivilege	4800	cvvhost.exe
Token: SeDebugPrivilege	4820	cvvhost.exe
Token: SeDebugPrivilege	3660	cvvhost.exe
Token: SeDebugPrivilege	1560	cvvhost.exe
Token: SeDebugPrivilege	4556	cvvhost.exe
Token: SeDebugPrivilege	3320	cvvhost.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

pid	process
3204	cvvhost.exe
4668	cvvhost.exe
5100	cvvhost.exe
5060	cvvhost.exe
4152	cvvhost.exe
1700	cvvhost.exe
4800	cvvhost.exe
4820	cvvhost.exe
3660	cvvhost.exe
1560	cvvhost.exe
4556	cvvhost.exe
3320	cvvhost.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

pid	process
3204	cvvhost.exe
4668	cvvhost.exe
5100	cvvhost.exe
5060	cvvhost.exe
4152	cvvhost.exe
1700	cvvhost.exe
4800	cvvhost.exe
4820	cvvhost.exe
3660	cvvhost.exe
1560	cvvhost.exe
4556	cvvhost.exe
3320	cvvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.exe

description	pid	process	target process
PID 1132 wrote to memory of 3956	1132	Client-built.exe	schtasks.exe
PID 1132 wrote to memory of 3956	1132	Client-built.exe	schtasks.exe
PID 1132 wrote to memory of 3204	1132	Client-built.exe	cvvhost.exe
PID 1132 wrote to memory of 3204	1132	Client-built.exe	cvvhost.exe
PID 3204 wrote to memory of 1268	3204	cvvhost.exe	schtasks.exe
PID 3204 wrote to memory of 1268	3204	cvvhost.exe	schtasks.exe
PID 3204 wrote to memory of 384	3204	cvvhost.exe	cmd.exe
PID 3204 wrote to memory of 384	3204	cvvhost.exe	cmd.exe
PID 384 wrote to memory of 1752	384	cmd.exe	chcp.com
PID 384 wrote to memory of 1752	384	cmd.exe	chcp.com
PID 384 wrote to memory of 2776	384	cmd.exe	PING.EXE
PID 384 wrote to memory of 2776	384	cmd.exe	PING.EXE
PID 384 wrote to memory of 4668	384	cmd.exe	cvvhost.exe
PID 384 wrote to memory of 4668	384	cmd.exe	cvvhost.exe
PID 4668 wrote to memory of 1676	4668	cvvhost.exe	schtasks.exe
PID 4668 wrote to memory of 1676	4668	cvvhost.exe	schtasks.exe
PID 4668 wrote to memory of 4728	4668	cvvhost.exe	cmd.exe
PID 4668 wrote to memory of 4728	4668	cvvhost.exe	cmd.exe
PID 4728 wrote to memory of 1296	4728	cmd.exe	chcp.com
PID 4728 wrote to memory of 1296	4728	cmd.exe	chcp.com
PID 4728 wrote to memory of 880	4728	cmd.exe	PING.EXE
PID 4728 wrote to memory of 880	4728	cmd.exe	PING.EXE
PID 4728 wrote to memory of 5100	4728	cmd.exe	cvvhost.exe
PID 4728 wrote to memory of 5100	4728	cmd.exe	cvvhost.exe
PID 5100 wrote to memory of 2724	5100	cvvhost.exe	schtasks.exe
PID 5100 wrote to memory of 2724	5100	cvvhost.exe	schtasks.exe
PID 5100 wrote to memory of 4224	5100	cvvhost.exe	cmd.exe
PID 5100 wrote to memory of 4224	5100	cvvhost.exe	cmd.exe
PID 4224 wrote to memory of 1532	4224	cmd.exe	chcp.com
PID 4224 wrote to memory of 1532	4224	cmd.exe	chcp.com
PID 4224 wrote to memory of 1056	4224	cmd.exe	PING.EXE
PID 4224 wrote to memory of 1056	4224	cmd.exe	PING.EXE
PID 4224 wrote to memory of 5060	4224	cmd.exe	cvvhost.exe
PID 4224 wrote to memory of 5060	4224	cmd.exe	cvvhost.exe
PID 5060 wrote to memory of 1508	5060	cvvhost.exe	schtasks.exe
PID 5060 wrote to memory of 1508	5060	cvvhost.exe	schtasks.exe
PID 5060 wrote to memory of 396	5060	cvvhost.exe	cmd.exe
PID 5060 wrote to memory of 396	5060	cvvhost.exe	cmd.exe
PID 396 wrote to memory of 4508	396	cmd.exe	chcp.com
PID 396 wrote to memory of 4508	396	cmd.exe	chcp.com
PID 396 wrote to memory of 2704	396	cmd.exe	PING.EXE
PID 396 wrote to memory of 2704	396	cmd.exe	PING.EXE
PID 396 wrote to memory of 4152	396	cmd.exe	cvvhost.exe
PID 396 wrote to memory of 4152	396	cmd.exe	cvvhost.exe
PID 4152 wrote to memory of 1532	4152	cvvhost.exe	schtasks.exe
PID 4152 wrote to memory of 1532	4152	cvvhost.exe	schtasks.exe
PID 4152 wrote to memory of 4068	4152	cvvhost.exe	cmd.exe
PID 4152 wrote to memory of 4068	4152	cvvhost.exe	cmd.exe
PID 4068 wrote to memory of 3720	4068	cmd.exe	chcp.com
PID 4068 wrote to memory of 3720	4068	cmd.exe	chcp.com
PID 4068 wrote to memory of 2160	4068	cmd.exe	PING.EXE
PID 4068 wrote to memory of 2160	4068	cmd.exe	PING.EXE
PID 4068 wrote to memory of 1700	4068	cmd.exe	cvvhost.exe
PID 4068 wrote to memory of 1700	4068	cmd.exe	cvvhost.exe
PID 1700 wrote to memory of 1288	1700	cvvhost.exe	schtasks.exe
PID 1700 wrote to memory of 1288	1700	cvvhost.exe	schtasks.exe
PID 1700 wrote to memory of 4028	1700	cvvhost.exe	cmd.exe
PID 1700 wrote to memory of 4028	1700	cvvhost.exe	cmd.exe
PID 4028 wrote to memory of 4224	4028	cmd.exe	chcp.com
PID 4028 wrote to memory of 4224	4028	cmd.exe	chcp.com
PID 4028 wrote to memory of 2984	4028	cmd.exe	PING.EXE
PID 4028 wrote to memory of 2984	4028	cmd.exe	PING.EXE
PID 4028 wrote to memory of 4800	4028	cmd.exe	cvvhost.exe
PID 4028 wrote to memory of 4800	4028	cmd.exe	cvvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3956

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYjrtDLC7Iy9.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1752

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2776

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FFExtO0rMaXI.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1296

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:880

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9K9OQMAMIf6a.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:1532

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1056

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FNplaGhmTD8R.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:4508

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2704

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyRJ8dlK1DFB.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:3720

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2160

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wHtBMA8JSLQz.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:4224

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2984

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4800

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xvr1ubKr1SzJ.bat" "
15⤵
PID:2212

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:3400

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3656

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4820

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qzos8pT5WmVk.bat" "
17⤵
PID:3616

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:1128

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1732

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3660

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\64WnlnLVPpmB.bat" "
19⤵
PID:3784

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2908

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4132

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1560

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6sXNdJHcEzH0.bat" "
21⤵
PID:3012

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:1172

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4300

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4556

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeqTDstX7u7H.bat" "
23⤵
PID:3820

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:4640

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:1912

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3320

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k15iLayzSyGn.bat" "
25⤵
PID:4016

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:2072

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cvvhost.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\64WnlnLVPpmB.bat
Filesize
197B

MD5
5819e2be0ec878ef9d41162bed8066e6

SHA1
91783692d6ff85ef1730720ab60e5ba2c7dda0bd

SHA256
251656aee2a9152a4b31efdc10e8704fb5f75fbecd7ff3312f553af6fea5c88c

SHA512
23c954c53f353da88b3beb70ef0b2489c1cf6f5d7113a7bbb7b454adc664292b458e61e48d6499dc15f9b05466dcfaff97689cfd3f80932acb80e11906654dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6sXNdJHcEzH0.bat
Filesize
197B

MD5
bb1c04fbe19fad214a350cd2f988cea4

SHA1
a59d7ed7a341c1b574bae7eeb6aa337d8ae20f3c

SHA256
d9ca20f45408e61f3f60d6b158b8523528a3b09158375b3097ec22de0b449d7c

SHA512
ad10d3453a1d01c4ff81bee90b3ea01b61dfc6d069afcb4f7c3210ea2fc8d85a2d525885f6136da48bfdfd627428b429e48ecf7505e377ecb342d9dad5ea4526

Download Submit
C:\Users\Admin\AppData\Local\Temp\9K9OQMAMIf6a.bat
Filesize
197B

MD5
864253f6630c9a22579b7f777de60b97

SHA1
a9692551696fd902c7b5b007f7803ef8d7c671ae

SHA256
66486196e2fded36464e54a036f54b8a5169075501d4d373cdf3faf251c6c157

SHA512
9072b9eb56f4baafa0a94c6785705c235da8f23f9d991c480fd807cb09ec4814b05f28c41a077ca16dc139e7f7ceb8c8eb7b9d14e60601c8baa12bd624cf4b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFExtO0rMaXI.bat
Filesize
197B

MD5
e21271ba92c961b74f32e283375c5db8

SHA1
39dbda594c87cc76ac2a4d30430fc5e328cbacc2

SHA256
31d310badef73d96931ee529865481026eeb5a6ff65ed97f883e0e71bfd3cecd

SHA512
88558d0adf926e3d0152d1a29a46e23c342c4c525a0389a69daff22378cea35fed4bed0d0369ec37e97672705a1dc6cdea92a797a7cd5132341f5f61decbccd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNplaGhmTD8R.bat
Filesize
197B

MD5
3534db72aacf99c0f33045d52ade6730

SHA1
73652a85ba9fd19cb879ddb37ed71d718b59fe48

SHA256
2087e5deefe9313474a7645ca8f9f38d673a48ddce2da941f34835b96d43cde9

SHA512
fe32affbe5940991bd40d0459744df543550ed7edb26581b4abc37ad9a39178b19255c1f52ec204f8dc88b73698500841d8f3993ed3038d7459a45859a99d3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYjrtDLC7Iy9.bat
Filesize
197B

MD5
cd59a2336346e0c747ef18a616d72d32

SHA1
8dafbd3f2d4428880dff9edb4997979fbeb79331

SHA256
7a30439c821e1aa930af186bc2b4686e3f8dbd2a8e759ed2c7641ebdbf1a1247

SHA512
aafb8af5a4ab06a6af900e146a70f7e0c6b5bfab2cbe6f4586cf8d1812708d1af5f6d25b272414ade547fdf37e569b39a29630e68d6c0ae56df2e390b9bc7073

Download Submit
C:\Users\Admin\AppData\Local\Temp\XyRJ8dlK1DFB.bat
Filesize
197B

MD5
76f58823876be149b640c37506d111f8

SHA1
0ed31baeb2694781bfeb728245f569aa577f4287

SHA256
35b2d0d36ece42c7b57e714798d9af3815423b2d4d17431b579df2fae5666b6d

SHA512
2291d312e3422922e16a51052b345e5ceed4e4559ca3523a7f72b48a7721abdf2276ab9847b0309bbf996831ecd5a1eea87d69516b26e9ca373f56ac58d287fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeqTDstX7u7H.bat
Filesize
197B

MD5
29e3af9809cc287b5b591fe474a37c7b

SHA1
a291e79fac22c7b9108d929933c73114962a34c0

SHA256
2649aac25d8d6eb78a194845e9f8eac119c5c2080486d476299068112a781cd1

SHA512
af3b54dff4b2ac03f240a4c5898f5ce1c14705b4874e5af0b805350dcc2b52608e45636f82fa5349c60062b55b45b6f520356b218611082465c12731ccc34aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\k15iLayzSyGn.bat
Filesize
197B

MD5
696cf7b5ae6c8cec95278fd60f8a0bc4

SHA1
f6c1e90ee281195a3f69dff6ea849072d7e3caec

SHA256
f4f5acd63eeb1e97ded2502c4c780f858795a768af28ece73711fc84f74a4dce

SHA512
a866ac875535065749c0ff6ee63d3da324af9a7468ee7978009cc8495922c8405463c893787fe197a339c1805a7a01ef9f3ccd07e6a71d4cc9c74f69ce7d063c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzos8pT5WmVk.bat
Filesize
197B

MD5
d23e7eacfde40b93a3728a5af60c7524

SHA1
eb442240cdbe669c60c555223df343c6deb4dd86

SHA256
c98c6d0b74ee9c3673fed58e9915af568a8a4e892f0e88415aa6556ebb0eae3b

SHA512
db6f56dc272047afb9ce70328cc9104627da5a9b74d57793e911744d5fbadbf3fbe54cba27669d298e7f335a553f5f52ffd3588387f438fe819b3369e1754435

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHtBMA8JSLQz.bat
Filesize
197B

MD5
9093933a9eea785f420c1d792a0cdec7

SHA1
43daa6fabb5717bcb017de87644ac4302b4ce9cb

SHA256
d7f11da414f608eb2ddd8d2f13527b8ff5126d5e2decc9d7c4a8a3f80895936e

SHA512
9704059d8234317d8d3ce5382104a4a1a8fd4fa504c4e24e43b754a334d66cfc5821aaf203cca5fe1b5f113b7902e73a35891bf555b1a5adf8c1e40ff11ed032

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvr1ubKr1SzJ.bat
Filesize
197B

MD5
5370a982f92a1dea0b47196afab34405

SHA1
3dbacaf9fc3100508a15e39de59730dc48a99769

SHA256
aa49c88c3ba38560b5d60209b9329a7b0c081db759d1093871fdbc7fd8f236de

SHA512
6419baf235b9f132fd772e5f849a6483a9a1fdabe8f246f48ead061298d740a49908c6b6e0cb51fab7332cae35f836cfe4a158272bf6aedfecf2df78a1da4f93

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\system32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
memory/1132-2-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/1132-10-0x00007FFBF6AD0000-0x00007FFBF7591000-memory.dmp

Filesize
10.8MB

Download
memory/1132-1-0x00007FFBF6AD0000-0x00007FFBF7591000-memory.dmp

Filesize
10.8MB

Download
memory/1132-0-0x00000000007D0000-0x0000000000AF4000-memory.dmp

Filesize
3.1MB

Download
memory/1560-86-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/1560-87-0x000000001BCF0000-0x000000001BD00000-memory.dmp

Filesize
64KB

Download
memory/1560-91-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/1700-54-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/1700-55-0x0000000002C50000-0x0000000002C60000-memory.dmp

Filesize
64KB

Download
memory/1700-59-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/3204-19-0x00007FFBF6AD0000-0x00007FFBF7591000-memory.dmp

Filesize
10.8MB

Download
memory/3204-9-0x00007FFBF6AD0000-0x00007FFBF7591000-memory.dmp

Filesize
10.8MB

Download
memory/3204-11-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

Filesize
64KB

Download
memory/3204-12-0x000000001BE40000-0x000000001BE90000-memory.dmp

Filesize
320KB

Download
memory/3204-13-0x000000001BF50000-0x000000001C002000-memory.dmp

Filesize
712KB

Download
memory/3320-107-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/3320-103-0x000000001B560000-0x000000001B570000-memory.dmp

Filesize
64KB

Download
memory/3320-102-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-79-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/3660-83-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-78-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/4152-51-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/4152-47-0x000000001BE00000-0x000000001BE10000-memory.dmp

Filesize
64KB

Download
memory/4152-46-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/4556-95-0x000000001B3D0000-0x000000001B3E0000-memory.dmp

Filesize
64KB

Download
memory/4556-94-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/4556-100-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/4668-23-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/4668-22-0x00007FFBF6C10000-0x00007FFBF76D1000-memory.dmp

Filesize
10.8MB

Download
memory/4668-27-0x00007FFBF6C10000-0x00007FFBF76D1000-memory.dmp

Filesize
10.8MB

Download
memory/4800-67-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/4800-62-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/4800-63-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/4820-70-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/4820-71-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/4820-75-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/5060-44-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/5060-39-0x000000001B800000-0x000000001B810000-memory.dmp

Filesize
64KB

Download
memory/5060-38-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/5100-31-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/5100-30-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download
memory/5100-35-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmp

Filesize
10.8MB

Download