quasar | e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

Analysis

max time kernel
68s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

84196815c135e19db65295a1cea9a522
SHA1

fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256

e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA512

3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
SSDEEP

49152:7vWhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaYiRJ6TbR3LoGdjTHHB72eh2NT:7v4t2d5aKCuVPzlEmVQ0wvwfYiRJ6F

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

slave

cherrywoods-29890.portmap.host:29890:16243

Mutex

5d49d039-8bce-40c5-82b6-413e6ca1279a

Attributes

encryption_key
2E34CBDFC0A612A970A99A781D3AB0C010E1A59C
install_name
cvvhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security notification icon
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4676-0-0x0000000000FC0000-0x00000000012E4000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\system32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cvvhost.exe

Executes dropped EXE 6 IoCs

Processes:

cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

pid process

3884 cvvhost.exe
2176 cvvhost.exe
2228 cvvhost.exe
4584 cvvhost.exe
2492 cvvhost.exe
3876 cvvhost.exe

pid	process
3884	cvvhost.exe
2176	cvvhost.exe
2228	cvvhost.exe
4584	cvvhost.exe
2492	cvvhost.exe
3876	cvvhost.exe

Drops file in System32 directory 15 IoCs

Processes:

cvvhost.exeClient-built.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File created	C:\Windows\system32\SubDir\cvvhost.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4980	schtasks.exe
2652	schtasks.exe
1928	schtasks.exe
1136	schtasks.exe
3852	schtasks.exe
2704	schtasks.exe
3968	schtasks.exe
4468	schtasks.exe
4788	schtasks.exe
2152	schtasks.exe
4048	schtasks.exe
3372	schtasks.exe
4116	schtasks.exe
1260	schtasks.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4488	PING.EXE
3944	PING.EXE
1692	PING.EXE
4528	PING.EXE
4672	PING.EXE
4504	PING.EXE
4780	PING.EXE
2988	PING.EXE
2148	PING.EXE
3548	PING.EXE
2976	PING.EXE
2952	PING.EXE
3424	PING.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Client-built.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

description	pid	process
Token: SeDebugPrivilege	4676	Client-built.exe
Token: SeDebugPrivilege	3884	cvvhost.exe
Token: SeDebugPrivilege	2176	cvvhost.exe
Token: SeDebugPrivilege	2228	cvvhost.exe
Token: SeDebugPrivilege	4584	cvvhost.exe
Token: SeDebugPrivilege	2492	cvvhost.exe
Token: SeDebugPrivilege	3876	cvvhost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

pid process

3884 cvvhost.exe
2176 cvvhost.exe
2228 cvvhost.exe
4584 cvvhost.exe
2492 cvvhost.exe
3876 cvvhost.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

pid process

3884 cvvhost.exe
2176 cvvhost.exe
2228 cvvhost.exe
4584 cvvhost.exe
2492 cvvhost.exe
3876 cvvhost.exe

pid	process
3884	cvvhost.exe
2176	cvvhost.exe
2228	cvvhost.exe
4584	cvvhost.exe
2492	cvvhost.exe
3876	cvvhost.exe

pid	process
3884	cvvhost.exe
2176	cvvhost.exe
2228	cvvhost.exe
4584	cvvhost.exe
2492	cvvhost.exe
3876	cvvhost.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Client-built.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.exe

description	pid	process	target process
PID 4676 wrote to memory of 2652	4676	Client-built.exe	schtasks.exe
PID 4676 wrote to memory of 2652	4676	Client-built.exe	schtasks.exe
PID 4676 wrote to memory of 3884	4676	Client-built.exe	cvvhost.exe
PID 4676 wrote to memory of 3884	4676	Client-built.exe	cvvhost.exe
PID 3884 wrote to memory of 4788	3884	cvvhost.exe	schtasks.exe
PID 3884 wrote to memory of 4788	3884	cvvhost.exe	schtasks.exe
PID 3884 wrote to memory of 2664	3884	cvvhost.exe	cmd.exe
PID 3884 wrote to memory of 2664	3884	cvvhost.exe	cmd.exe
PID 2664 wrote to memory of 4704	2664	cmd.exe	chcp.com
PID 2664 wrote to memory of 4704	2664	cmd.exe	chcp.com
PID 2664 wrote to memory of 3944	2664	cmd.exe	PING.EXE
PID 2664 wrote to memory of 3944	2664	cmd.exe	PING.EXE
PID 2664 wrote to memory of 2176	2664	cmd.exe	cvvhost.exe
PID 2664 wrote to memory of 2176	2664	cmd.exe	cvvhost.exe
PID 2176 wrote to memory of 2704	2176	cvvhost.exe	schtasks.exe
PID 2176 wrote to memory of 2704	2176	cvvhost.exe	schtasks.exe
PID 2176 wrote to memory of 4960	2176	cvvhost.exe	cmd.exe
PID 2176 wrote to memory of 4960	2176	cvvhost.exe	cmd.exe
PID 4960 wrote to memory of 3100	4960	cmd.exe	chcp.com
PID 4960 wrote to memory of 3100	4960	cmd.exe	chcp.com
PID 4960 wrote to memory of 1692	4960	cmd.exe	PING.EXE
PID 4960 wrote to memory of 1692	4960	cmd.exe	PING.EXE
PID 4960 wrote to memory of 2228	4960	cmd.exe	cvvhost.exe
PID 4960 wrote to memory of 2228	4960	cmd.exe	cvvhost.exe
PID 2228 wrote to memory of 3968	2228	cvvhost.exe	schtasks.exe
PID 2228 wrote to memory of 3968	2228	cvvhost.exe	schtasks.exe
PID 2228 wrote to memory of 2312	2228	cvvhost.exe	cmd.exe
PID 2228 wrote to memory of 2312	2228	cvvhost.exe	cmd.exe
PID 2312 wrote to memory of 3376	2312	cmd.exe	chcp.com
PID 2312 wrote to memory of 3376	2312	cmd.exe	chcp.com
PID 2312 wrote to memory of 2988	2312	cmd.exe	PING.EXE
PID 2312 wrote to memory of 2988	2312	cmd.exe	PING.EXE
PID 2312 wrote to memory of 4584	2312	cmd.exe	cvvhost.exe
PID 2312 wrote to memory of 4584	2312	cmd.exe	cvvhost.exe
PID 4584 wrote to memory of 4468	4584	cvvhost.exe	schtasks.exe
PID 4584 wrote to memory of 4468	4584	cvvhost.exe	schtasks.exe
PID 4584 wrote to memory of 4020	4584	cvvhost.exe	cmd.exe
PID 4584 wrote to memory of 4020	4584	cvvhost.exe	cmd.exe
PID 4020 wrote to memory of 2984	4020	cmd.exe	chcp.com
PID 4020 wrote to memory of 2984	4020	cmd.exe	chcp.com
PID 4020 wrote to memory of 2148	4020	cmd.exe	PING.EXE
PID 4020 wrote to memory of 2148	4020	cmd.exe	PING.EXE
PID 4020 wrote to memory of 2492	4020	cmd.exe	cvvhost.exe
PID 4020 wrote to memory of 2492	4020	cmd.exe	cvvhost.exe
PID 2492 wrote to memory of 1928	2492	cvvhost.exe	schtasks.exe
PID 2492 wrote to memory of 1928	2492	cvvhost.exe	schtasks.exe
PID 2492 wrote to memory of 1988	2492	cvvhost.exe	cmd.exe
PID 2492 wrote to memory of 1988	2492	cvvhost.exe	cmd.exe
PID 1988 wrote to memory of 4508	1988	cmd.exe	chcp.com
PID 1988 wrote to memory of 4508	1988	cmd.exe	chcp.com
PID 1988 wrote to memory of 4528	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 4528	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 3876	1988	cmd.exe	cvvhost.exe
PID 1988 wrote to memory of 3876	1988	cmd.exe	cvvhost.exe
PID 3876 wrote to memory of 1260	3876	cvvhost.exe	schtasks.exe
PID 3876 wrote to memory of 1260	3876	cvvhost.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQGTvFTws8mp.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4704

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3944

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qY34PKLaxJTf.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:3100

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1692

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6KhRcZmY9WdE.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:3376

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2988

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYbJ8V6vZ1r4.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:2984

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2148

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EVbP0461OGJA.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:4508

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4528

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0XxP5jTz83d4.bat" "
13⤵
PID:3928

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
14⤵
PID:2488

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEia2j5d9LqB.bat" "
15⤵
PID:472

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4504

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:1568

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
16⤵
PID:4960

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zFpAqLWZkDgo.bat" "
17⤵
PID:4812

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
18⤵
PID:3364

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEzgMuTCdz1J.bat" "
19⤵
PID:1236

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2976

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:4004

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
20⤵
PID:3952

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F7JAGvYAcYDj.bat" "
21⤵
PID:2012

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:2888

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4780

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
22⤵
PID:3732

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6tuRLM3lyX5j.bat" "
23⤵
PID:3240

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2952

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:4304

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
24⤵
PID:2584

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UhJ6ixl0CBYl.bat" "
25⤵
PID:3888

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
26⤵
PID:4756

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mn1i6ycjL5bR.bat" "
27⤵
PID:1156

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:4488

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:1072

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1468

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4672

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:3548

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4736

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:3424

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cvvhost.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0XxP5jTz83d4.bat
Filesize
197B

MD5
45e09b6ee313fe4c976ff33cc3a046af

SHA1
b9ee27722e3278e8b3162112ebf9b18881c82f51

SHA256
aa2124c044596ad8afc5d13ccaf909238efdbfd3d4f154458316b4b682101755

SHA512
60a4dd955c4fcfb66a7a527b2ee66f8c3fa422f244da758566b268dcf8c4308aad01e172cee031969a33726c8787b14705688e5e1c18cc20bc4e60d5f737bc6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6KhRcZmY9WdE.bat
Filesize
197B

MD5
0dd17d97d22ecfac29e4d43e64952bb2

SHA1
60334236c810b0e3f348ed4ff1407ac8d3ea0a2b

SHA256
1fcd53db5e63cd5ff486a69ba0f2726616c89c5d995f5c4029036c9f682850dd

SHA512
e4d2f92b8c0f6859e95a193403ecf81fb2201de848975f95e0f79c3f3c3f8704dcfbaa8a9c893a7d9495a4d28b7603d9a001bcf7f54f27459a83a6ad8614ce55

Download Submit
C:\Users\Admin\AppData\Local\Temp\6tuRLM3lyX5j.bat
Filesize
197B

MD5
f1a10a4b4afacde8290c6d35d508e174

SHA1
bc7dba5ddc39fdde1ac0e5403ba16f2fd97f8fd8

SHA256
081c652a27b3fe10b964833debd0f40a1a20e511df923a4af79921b87427571b

SHA512
6d280f245eeee5fca1ec2d8d53394921b1974dbaf2495d4c9fa1b7add6a06e190d52e3a094b97eef13d7f2bc09d78097e5ad718aa3f3a0f2dc5ad2f8ee1f3799

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVbP0461OGJA.bat
Filesize
197B

MD5
aa45518dc0039200a0c18753e7d65e3f

SHA1
bd1ba4666b2afe45f4d06b8bc1e61b944e2e9505

SHA256
f6f0147e865fb15051344144fb6a400cc7785614fc79810b6847172555306a87

SHA512
81400cddc527b4566cee6e42c57960eef027b2606667f374b25f26d3571b936b280fa20704e7f06211952bc66c43319097e41b1fda5277e71646068077fca5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7JAGvYAcYDj.bat
Filesize
197B

MD5
72818fa0779c3a4bc3ffb6000eba4c38

SHA1
bd01e5be2b743160fd1418326094b28b9217d699

SHA256
f2ca21924d8cb1bb3e974ab22e1c7b5f737b75498c2f177b96f342d95de44703

SHA512
a2e6ffbd6f24614d16832149d0128c534e83341afc0a7556a05801da31894a89f3722f4afd1ab5df27cf9942c152d7e3ac4bbd36ea9b9bed58b065aeae553ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQGTvFTws8mp.bat
Filesize
197B

MD5
4c184b1f52ca6dace641ddca6ae7cc47

SHA1
b81950cede829e33401527cfd3b24689ed60874f

SHA256
a5e3881ec9ec0ccb1c9bcbf007d2046be22bf577813e41b1f4f0fe4e5f8e7bf0

SHA512
8666482996418e53f316a74223a138271323493617d019521df33e4ea7bc4f5dbf6cffb8f5b5d5d51c9b371aec672b4749bc39c60a4363db2669419a978644cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UhJ6ixl0CBYl.bat
Filesize
197B

MD5
c91f70d6d47915ecdd8c09efecd19c5a

SHA1
f764f456730aeea5688b30d738ad07f3bbcd6242

SHA256
48e852fbaf6728e9a91eda0b9ef0fa35991522ef7f87365a5655142b383873e4

SHA512
6935810bce0fb7f8964447e58749d2b8b87b32225fe2159464eb6f67e350537121a3f7bdd4bffa1a17f0a96c03ca2285764ba9a5180ddd41a9af18b8a3fc104b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEzgMuTCdz1J.bat
Filesize
197B

MD5
eb7007b4e25c1d46f405e9a38f149e90

SHA1
2c483e4ffdb5fcef65d388082c752f829cba27a2

SHA256
b67aff1e60a18c73de344f5f7b72a17e1e00b298032dd64c1c4113cb79f0964f

SHA512
79e75e91292ec5c47720f4c9d19942bd52ed473d31d80055c85ad90d0806e1a04edaee6c1445992d0b6479358fb346140e7afa97385611cd34a49628e2512a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYbJ8V6vZ1r4.bat
Filesize
197B

MD5
bbb4faaac002be4c1e1ac51831d8e51d

SHA1
9016cef44599d16c092063e9c110ac5f7b1e5705

SHA256
ded6c533bd4aa00658e411a4abc548accc775ca15f7b99cd02ea2751a8d37f0d

SHA512
3073ab7e0f2392f7b922e3ef524e84c5d51b38c2334d85605f08661d81ccf08b239ceb293092f00c7bb23323b2d076f8f73b936a0f6c4718ee97cdf8347a3b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mn1i6ycjL5bR.bat
Filesize
197B

MD5
748d215ade1e439dcceafb52b0b743b9

SHA1
6b426152a23fb5b0b6395944ed85ea6a4249be83

SHA256
adfba4e6dc3d6fbe9436d0437bb609153cf9e90753f979b9024465dd49a7e85d

SHA512
c1a87f57d86f32b2a9ab5d7b20bc81764a43e6a315bf5f22663515474729d25e1e838ff9a4a0721b5aa340a662d641354c614569b815b5186084ef9ed51dc897

Download Submit
C:\Users\Admin\AppData\Local\Temp\qY34PKLaxJTf.bat
Filesize
197B

MD5
03aa9fbcbb990ced69782f8b9a3dd197

SHA1
f9b4df984d27f5cf318fc82e4f158728455aacf8

SHA256
041165480b6c1cce722b4152eed36df1fbfd2fe871ff7d9102e52dbccf81b9c8

SHA512
dc4e71be12be635c1906b430d82df6545e1915bd36152a36d755b2145138f041d7f043134f47036210a2be273eab459ee3c6b885d953d3f8d9b97172788f0289

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEia2j5d9LqB.bat
Filesize
197B

MD5
ad3ccfa82438fdcfa96ca95b41ba25e7

SHA1
19309e8cb369c379f808cc5dd97b441fbc15a68a

SHA256
694fdfda8455df911dadfa09c3b9f6d0cc862673ec399a944aa0736e550e3752

SHA512
1fdd1b7b3c37f2c537de875970a24a9fb0724c3c5140b4c98250c1af0c1397a0a55c8f344e89ada9251dba867112d2456b82e6da622125306552dd7b0213eb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zFpAqLWZkDgo.bat
Filesize
197B

MD5
bfa331f4af38edcc4267052d36ec69fc

SHA1
cd6203368350064807e7c85456426223aad8e935

SHA256
c90e9317565fa86a3bc01ab62b2b145c8c1a044aa53d1d26bd1fc0d1004a9f9f

SHA512
52d9c7a9ae82682631320b5f2a78c67081770f9927841b8a992cd552493461ee2b1e77144249af9792222000426232d5fbaf47b74b37d5d8ba01671b7b4fce38

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
2.6MB

MD5
cafd5dbfa2593a925165ce70bfbdc50d

SHA1
bec3fd8b19b438555aa55d57ff0497d3fc494c81

SHA256
b5f9bcb1409cc06e1eedc0bcea50ed5b7b7dac82b7fa7f237b551a3477c46b31

SHA512
7dedc93174be19ea2ccc4c090ede0cd487472d8ceb41fc537f4ea973612a951957bcfbedca5d5e2fecfcecac03f7f5a9676548e034908a92ff5c5b60150bbb9e

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\system32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
memory/2176-22-0x00007FFF69550000-0x00007FFF6A011000-memory.dmp

Filesize
10.8MB

Download
memory/2176-23-0x000000001B3F0000-0x000000001B400000-memory.dmp

Filesize
64KB

Download
memory/2176-27-0x00007FFF69550000-0x00007FFF6A011000-memory.dmp

Filesize
10.8MB

Download
memory/2228-36-0x00007FFF69550000-0x00007FFF6A011000-memory.dmp

Filesize
10.8MB

Download
memory/2228-31-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/2228-30-0x00007FFF69550000-0x00007FFF6A011000-memory.dmp

Filesize
10.8MB

Download
memory/2488-68-0x00007FFF68AB0000-0x00007FFF69571000-memory.dmp

Filesize
10.8MB

Download
memory/2488-62-0x00007FFF68AB0000-0x00007FFF69571000-memory.dmp

Filesize
10.8MB

Download
memory/2488-63-0x000000001B3D0000-0x000000001B3E0000-memory.dmp

Filesize
64KB

Download
memory/2492-52-0x00007FFF68AB0000-0x00007FFF69571000-memory.dmp

Filesize
10.8MB

Download
memory/2492-47-0x000000001B580000-0x000000001B590000-memory.dmp

Filesize
64KB

Download
memory/2492-46-0x00007FFF68AB0000-0x00007FFF69571000-memory.dmp

Filesize
10.8MB

Download
memory/2584-103-0x0000000001780000-0x0000000001790000-memory.dmp

Filesize
64KB

Download
memory/2584-102-0x00007FFF68B60000-0x00007FFF69621000-memory.dmp

Filesize
10.8MB

Download
memory/2584-108-0x00007FFF68B60000-0x00007FFF69621000-memory.dmp

Filesize
10.8MB

Download
memory/3364-78-0x00007FFF68B60000-0x00007FFF69621000-memory.dmp

Filesize
10.8MB

Download
memory/3364-79-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

Filesize
64KB

Download
memory/3364-84-0x00007FFF68B60000-0x00007FFF69621000-memory.dmp

Filesize
10.8MB

Download
memory/3732-100-0x00007FFF68B60000-0x00007FFF69621000-memory.dmp

Filesize
10.8MB

Download
memory/3732-94-0x00007FFF68B60000-0x00007FFF69621000-memory.dmp

Filesize
10.8MB

Download
memory/3732-95-0x000000001C010000-0x000000001C020000-memory.dmp

Filesize
64KB

Download
memory/3876-55-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download
memory/3876-54-0x00007FFF68AB0000-0x00007FFF69571000-memory.dmp

Filesize
10.8MB

Download
memory/3876-60-0x00007FFF68AB0000-0x00007FFF69571000-memory.dmp

Filesize
10.8MB

Download
memory/3884-9-0x00007FFF69550000-0x00007FFF6A011000-memory.dmp

Filesize
10.8MB

Download
memory/3884-11-0x000000001BEE0000-0x000000001BEF0000-memory.dmp

Filesize
64KB

Download
memory/3884-12-0x000000001CA80000-0x000000001CAD0000-memory.dmp

Filesize
320KB

Download
memory/3884-13-0x000000001CB90000-0x000000001CC42000-memory.dmp

Filesize
712KB

Download
memory/3884-19-0x00007FFF69550000-0x00007FFF6A011000-memory.dmp

Filesize
10.8MB

Download
memory/3952-87-0x000000001B8E0000-0x000000001B8F0000-memory.dmp

Filesize
64KB

Download
memory/3952-92-0x00007FFF68B60000-0x00007FFF69621000-memory.dmp

Filesize
10.8MB

Download
memory/3952-86-0x00007FFF68B60000-0x00007FFF69621000-memory.dmp

Filesize
10.8MB

Download
memory/4584-38-0x00007FFF69340000-0x00007FFF69E01000-memory.dmp

Filesize
10.8MB

Download
memory/4584-39-0x000000001BDF0000-0x000000001BE00000-memory.dmp

Filesize
64KB

Download
memory/4584-44-0x00007FFF69340000-0x00007FFF69E01000-memory.dmp

Filesize
10.8MB

Download
memory/4676-0-0x0000000000FC0000-0x00000000012E4000-memory.dmp

Filesize
3.1MB

Download
memory/4676-10-0x00007FFF69550000-0x00007FFF6A011000-memory.dmp

Filesize
10.8MB

Download
memory/4676-2-0x0000000001B90000-0x0000000001BA0000-memory.dmp

Filesize
64KB

Download
memory/4676-1-0x00007FFF69550000-0x00007FFF6A011000-memory.dmp

Filesize
10.8MB

Download
memory/4756-110-0x00007FFF68B60000-0x00007FFF69621000-memory.dmp

Filesize
10.8MB

Download
memory/4756-111-0x000000001B0F0000-0x000000001B100000-memory.dmp

Filesize
64KB

Download
memory/4756-116-0x00007FFF68B60000-0x00007FFF69621000-memory.dmp

Filesize
10.8MB

Download
memory/4960-76-0x00007FFF68B60000-0x00007FFF69621000-memory.dmp

Filesize
10.8MB

Download
memory/4960-70-0x00007FFF68B60000-0x00007FFF69621000-memory.dmp

Filesize
10.8MB

Download
memory/4960-71-0x000000001B300000-0x000000001B310000-memory.dmp

Filesize
64KB

Download