Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-04-2024 06:55

General

  • Target

    e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

  • Size

    2.6MB

  • MD5

    e6e2378b5d5ef85b039d0b261db4fa9e

  • SHA1

    2ab9b906aff4722d91b824b4ac887c5f9fc769c8

  • SHA256

    f06f42f55d97811886559c435e20fa273b088c08552ed47a70b715c21e74308d

  • SHA512

    24fbc820af4d86186f5cd76408add26cdd54e15573e0fce1b89b8167e5f736a06b45096bc99ef601ed4b01b4f3a9446051e678caea36f1188d9136c156856ce0

  • SSDEEP

    12288:tKhh8Op3AVN1B2bPHzdThCblOA1RIV84xR12UcHa2dCaGT576f+j1lc1SWZIBpLQ:tKhh8Op3AVN10bPHzdTg6

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

rat34.ddns.net:25565

Mutex

7bf81572-f7bb-4bdf-9c79-2c3a4754a152

Attributes
  • encryption_key

    C3DCCCB06A6A0C21F917BABB61CE259EB0570761

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Windows security bypass 2 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"
    1⤵
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3008
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4064
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1020
    • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
      2⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4724
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BulbEsDT2gTu.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:2512
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:5024
          • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"
            4⤵
            • Checks computer location settings
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1896
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3884
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2360
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2400
            • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
              C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
              5⤵
              • Checks computer location settings
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:392
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FzbHdUlqlgk5.bat" "
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3016
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  7⤵
                    PID:2724
                  • C:\Windows\SysWOW64\PING.EXE
                    ping -n 10 localhost
                    7⤵
                    • Runs ping.exe
                    PID:1964
                  • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                    "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"
                    7⤵
                    • Checks computer location settings
                    • Adds Run key to start application
                    • Suspicious use of SetThreadContext
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3776
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
                      8⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2860
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force
                      8⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4152
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
                      8⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1972
                    • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                      C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                      8⤵
                      • Checks computer location settings
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1884
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qRCs6zBFRRC8.bat" "
                        9⤵
                          PID:3140
                          • C:\Windows\SysWOW64\chcp.com
                            chcp 65001
                            10⤵
                              PID:4608
                            • C:\Windows\SysWOW64\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • Runs ping.exe
                              PID:524
                            • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                              "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"
                              10⤵
                              • Checks computer location settings
                              • Adds Run key to start application
                              • Suspicious use of SetThreadContext
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3076
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
                                11⤵
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4048
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force
                                11⤵
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4872
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
                                11⤵
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3716
                              • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                11⤵
                                • Checks computer location settings
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2268
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGkFQ4DeO5bT.bat" "
                                  12⤵
                                    PID:4324
                                    • C:\Windows\SysWOW64\chcp.com
                                      chcp 65001
                                      13⤵
                                        PID:4328
                                      • C:\Windows\SysWOW64\PING.EXE
                                        ping -n 10 localhost
                                        13⤵
                                        • Runs ping.exe
                                        PID:4728
                                      • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                        "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"
                                        13⤵
                                        • Checks computer location settings
                                        • Adds Run key to start application
                                        • Suspicious use of SetThreadContext
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1156
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
                                          14⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2456
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force
                                          14⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1776
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
                                          14⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1392
                                        • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                          C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                          14⤵
                                          • Checks computer location settings
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4356
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5FRatSaIBxe0.bat" "
                                            15⤵
                                              PID:1696
                                              • C:\Windows\SysWOW64\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:1388
                                                • C:\Windows\SysWOW64\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • Runs ping.exe
                                                  PID:3576
                                                • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Adds Run key to start application
                                                  • Suspicious use of SetThreadContext
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3324
                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
                                                    17⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1924
                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force
                                                    17⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1096
                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
                                                    17⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1828
                                                  • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                    C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                    17⤵
                                                    • Checks computer location settings
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1556
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaoQY8EFF36B.bat" "
                                                      18⤵
                                                        PID:3420
                                                        • C:\Windows\SysWOW64\chcp.com
                                                          chcp 65001
                                                          19⤵
                                                            PID:4644
                                                          • C:\Windows\SysWOW64\PING.EXE
                                                            ping -n 10 localhost
                                                            19⤵
                                                            • Runs ping.exe
                                                            PID:1136
                                                          • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"
                                                            19⤵
                                                            • Checks computer location settings
                                                            • Adds Run key to start application
                                                            • Suspicious use of SetThreadContext
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4940
                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
                                                              20⤵
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4400
                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force
                                                              20⤵
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2016
                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
                                                              20⤵
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3628
                                                            • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                              C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                              20⤵
                                                              • Checks computer location settings
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4496
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q0OtEA2Nz2i4.bat" "
                                                                21⤵
                                                                  PID:4124
                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                    chcp 65001
                                                                    22⤵
                                                                      PID:3536
                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                      ping -n 10 localhost
                                                                      22⤵
                                                                      • Runs ping.exe
                                                                      PID:1556
                                                                    • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"
                                                                      22⤵
                                                                      • Checks computer location settings
                                                                      • Adds Run key to start application
                                                                      • Suspicious use of SetThreadContext
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:3944
                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
                                                                        23⤵
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4744
                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force
                                                                        23⤵
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1540
                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force
                                                                        23⤵
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:3144
                                                                      • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                                        23⤵
                                                                          PID:1964
                                                                        • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                                          23⤵
                                                                            PID:1708
                                                                          • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                                            23⤵
                                                                              PID:4420
                                                                            • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                                              23⤵
                                                                                PID:2924
                                                                              • C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
                                                                                23⤵
                                                                                • Suspicious use of UnmapMainImage
                                                                                PID:3920
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 12
                                                                                  24⤵
                                                                                  • Program crash
                                                                                  PID:2908
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3920 -ip 3920
                                    1⤵
                                      PID:1628

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe.log

                                      Filesize

                                      1KB

                                      MD5

                                      b5b0a1b2facedfcf3b5cf410369d8a78

                                      SHA1

                                      3e0703974b6abdf939dcfd81309b9d9ed65edb17

                                      SHA256

                                      1d8944aa85aa7d0a35e6596ecdec7bbb4974607e984a22d0a5d89f1bcdbb625d

                                      SHA512

                                      aea990f8e277e78c8f13ac6bc4270ef42be831b7d3f304e844fdf30eac0ce04d394650fd580c530985112c3dba8670f825ff5b1b0ef8ac0db3e143a95999403a

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                      Filesize

                                      2KB

                                      MD5

                                      3d086a433708053f9bf9523e1d87a4e8

                                      SHA1

                                      b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                                      SHA256

                                      6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                                      SHA512

                                      931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      b1dd697cd7c316d754bfb6b6383552a1

                                      SHA1

                                      83bfa0e226be561628eadc337e29d814f1d20f4e

                                      SHA256

                                      93412549855a706d023b8f19d42cf2fb7a7c8431dff6930ab4b3cca02cd8cb23

                                      SHA512

                                      7811885a385de99716037c59885659549d3cbae69d075d6a248f214053b9b915ab57edfcf76bf361fb75c6d5b784c6d716c93340ea1bf85069a41f6ac073efd7

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      33569a1d6fceffc659fc22935873fb0e

                                      SHA1

                                      449c236cf8731cb4121a518e87a29e9e2b3ea869

                                      SHA256

                                      73d6aa1176d733c628839ec14da727d19564b000bacfcb160c1732cd96ebd627

                                      SHA512

                                      d79dd0c3b6dcb3d029fe99adcb07598764aaf6720d9fa1bf54855517dba92432276f18f600a771556b263d0d71f280e5d01c10910d49a5e11ecb2d5c04fec46f

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      61461cbed4ac4a91e547e5519f86cbe5

                                      SHA1

                                      7324f0e281f71e8edf67e764131a6f9ee9240db4

                                      SHA256

                                      cb4db4737669360faad122ad8d9af3c6adb35bdcac72f3ea9d890c6fcd06fad5

                                      SHA512

                                      10880ce1041a5d062988d7bce2792067461c8753f1a2228ff2d3f9579cbce55f52e26a6b73802ab288331f881d963a14cddef8e48c6655f7a701eb9b63bc8a93

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      3651a8550970b66295fdd06356f37483

                                      SHA1

                                      15b1674553c5a5b50a48399860d0e15d685f5fca

                                      SHA256

                                      a2dc8cb9213f8d8bf8819061d970265f181a24ddca3f9783c1169c83c0e736fc

                                      SHA512

                                      8f0ddf9ee694ab484f30824dbbba5ec2297e5027101183a717d9cd56d8a2b9ab9375df9ef8ab857749ae39166463b32e6dd42c5fed871a3aa1748461a0391510

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      64B

                                      MD5

                                      3e268cbbb2f99f7dab5fab7e1b609c7d

                                      SHA1

                                      215361e9b1a0e1f8a941edafc98eab73e53db49c

                                      SHA256

                                      0bbf2ea56780a703adb2b686550111ddeaa6b53e3dfa7dcc5360c1a6c56d4579

                                      SHA512

                                      23af36f6c4fa0a4740ada07e45c7eaf62dada751f12c5d6194a77615804eac7ee9b1e1f21695fbdeb224fa96acff2934d42ef6e00a29c56b2d1cf39c647270b9

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      10087504da1cc7cc7a46cac64c321837

                                      SHA1

                                      504de9493e8494122c48c23c579e3fd9bcf4f4a1

                                      SHA256

                                      f3df9bb912cc579fc5a80b6cec4d947067134dc148ebd7843ca50163262c094a

                                      SHA512

                                      97760830984261da04deeb8d44893eb76061d6370f4cad79f5984d083e2295794ab1f454d899f3cc7fc64d7573d02b94077c50fb0e8bba1e4acdbfcbb747c272

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      e82c38951bc904de3c17debde20f7c63

                                      SHA1

                                      dc6728b8d21a7c60a9aa03a54959aaf211d52fe5

                                      SHA256

                                      e723321379d4719b7f416929ec57a01a8b44cb1285c1c46db82df08a6e8f231f

                                      SHA512

                                      318b1d6edfe322433f0a93d1ca828857166c48d6136ddf48b0b2d3fa82e902eb6dff564ef7d84ac639d16d9ac00cd9adc347449fe945d529dd19eb6de24d9e27

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      02f4de5e4fe6294f6db2fe1955ad429a

                                      SHA1

                                      8bdd827170cd2199c16110a62b9c20f720a3dc59

                                      SHA256

                                      bee33028fc669e30572e7bb25466dc2c84d26c731b83d2b0823edf4d8b5af564

                                      SHA512

                                      7547f1f7f93fabf6cb7019e3df214e647b90f46862e7e53ec8da9eb9ab19f833dbf303138355383f30a51e3a1d41a13c25b6806597ca55ae1e78cca9f305e4ce

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      13KB

                                      MD5

                                      4c6ca02277bcdc0f78c88c291e205941

                                      SHA1

                                      417949b1bbe29e369767504b375a06f34165df4f

                                      SHA256

                                      029ad5291ae1cb0927063e5609db1c6f67a571cbb1058f5dd22497ce66affa7d

                                      SHA512

                                      9bc95c84d9720e86c3a1b9561cd1cda1f2bbf44c1070f699f25c4bd201c2d34f988b4bb2a6e051f3894a91ebb70664309022e75908735753e22dc51bad064ed0

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      MD5

                                      d41d8cd98f00b204e9800998ecf8427e

                                      SHA1

                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                      SHA256

                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                      SHA512

                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      762e1a5678d5e7ef87333f79619c0507

                                      SHA1

                                      a33bb57133e74a59b02395501ed36318eee43375

                                      SHA256

                                      724f4f9ac17959e1849cadfa34366975ccabc011dbbebbb66508a552c267414e

                                      SHA512

                                      11f9b6072e3598142594e7ca1046a71f91e686d2c54eb69c690c3219409f4ed0905d5467150594d5929408dac5a22119067943d25a13ae61745d683d316efb36

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      f506c654d69b3f525ce3533e218f391a

                                      SHA1

                                      5a32632967c1b338058b086af02b1cda550001f2

                                      SHA256

                                      6b188115e148c0101c585af78ba8621edc215fd0bb3419d2a070640928c5ee69

                                      SHA512

                                      78560717b379a05f1fd4ca387aff7087d37bf1cfa73025770d18576bcb358a79102d858b4d624790f042731201b9504ca71f9eaf86e6ccd9cbc97470b955e5a6

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      3e8db22cbd32dd9d7f76860caa0307dc

                                      SHA1

                                      030df9525547c785f9c9b614b2b3dd28d80e738e

                                      SHA256

                                      0c569bb8b66d3845f6a29bf8b40ae1e1a0d7fbb14628fa8309e459f81fedbacf

                                      SHA512

                                      b23aa56b6911299a8f133473ef0d071ad7676a871e75367887f8a6b12a551b8075444301f7c394479ef4c577e972ef8d9130809066453816ed5a5264b5bdd168

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      5ee3c15a416fbe4fef69b33470cb3d69

                                      SHA1

                                      5184bb76f7083c9abe69e7576f0cd50b1e07c392

                                      SHA256

                                      f56256dd22832ceaa95aa3d85b34a1acedac13bf0faeef18b444fce0e59a803e

                                      SHA512

                                      7428671896467c0a340e2fb134c5130fecbff80a2a7f6d385ab542b6c0685b55409d07768a7a8a6fcd45cc38545c73ae479c655f7404f9877582bde9d5b3910f

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      54ebffe73dfbbad731c863dc3b1a63d8

                                      SHA1

                                      80d212dfc74d529307266699e29287fbd1ad8d41

                                      SHA256

                                      382a9a13aca2704cda61c74e35dd0cd69ef4f8a24079f0e546e36b00897832a9

                                      SHA512

                                      2e8ad9d66c63b0887f0d3ba422d27ec24c280698f10ce1a77565f932d363e57c981d1dfa9615922ea389e481c07cb5fb9b90054942b9b687372529b789519844

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      358391e713467e4024613bf55c720abe

                                      SHA1

                                      00ceb553141b1714ccb4deeaff19157028a40490

                                      SHA256

                                      012e78d6b1d1958b85c131e1a8af7452c3f46a789bb65825a5a562beddc397f9

                                      SHA512

                                      0974699c38f6847df0124ea2e4ebaca0056104ed8c1396f02af1a0332cefc4d6e57c2e5b2027da3277962c88eaa21f32beb2762babb719a5bc87aa8d22697b42

                                    • C:\Users\Admin\AppData\Local\Temp\5FRatSaIBxe0.bat

                                      Filesize

                                      243B

                                      MD5

                                      38e9411396d4d67d42c1f3e80032fc78

                                      SHA1

                                      dce12840b2d14a93063b64744c2aa296dd3c135f

                                      SHA256

                                      b2551a2ccea45e140a9086c194958252cff4a3a185ef4084e9bca0dcf9c1300e

                                      SHA512

                                      2c40871ca6448be0ed475aaa524ee298640729fc97b9317cb1927aa92979271405005d4a031ff75a5489dfcdfcdb91f4c0f41b420f547fdd6bd0fb3e51c7c4e5

                                    • C:\Users\Admin\AppData\Local\Temp\BulbEsDT2gTu.bat

                                      Filesize

                                      243B

                                      MD5

                                      ffb6bf2ae5e742b3adcca68e5d5798ad

                                      SHA1

                                      fa0fa5c96bff8e7f9c9f85386a19e4863e0fe94f

                                      SHA256

                                      fd8f606bb8b627e3965c239d01ddd2948081e1b14d73e7c43d2381e5459ac81f

                                      SHA512

                                      6f67afc9d35a533cd37f27d4532f60405a71e955904e03c87392589648bc8027828d6e046f3d30ad2f542d5c9c8278e44937ba3db652dcc4516380c2e8e0faf7

                                    • C:\Users\Admin\AppData\Local\Temp\FzbHdUlqlgk5.bat

                                      Filesize

                                      243B

                                      MD5

                                      1e232f94d11010c98f878cbe770bc544

                                      SHA1

                                      bad6dce3050a61df3aae8a11b5318632d3570bb8

                                      SHA256

                                      bc861e318c902f007ac30fec8ad5fa5f2f10106f9802d21c1d9009a6f0cac160

                                      SHA512

                                      94b58135042fdd094b027175c8879d38c4fb80801ad6b7c032adbc78557221506bb574ae54fbad7ca53576baf42c9d95b04dcafe7b700af906b42eda1ec183bb

                                    • C:\Users\Admin\AppData\Local\Temp\LaoQY8EFF36B.bat

                                      Filesize

                                      243B

                                      MD5

                                      648b16187f1a6f1c1a195766acb890ac

                                      SHA1

                                      b40d9be4a87b038ef877b7eb63d11c2cc710737e

                                      SHA256

                                      65c5db6f47499355557eefd9ab14e576c450dfdc9b0d6d81af76406841e33ebf

                                      SHA512

                                      b41d924495468f5ee722e658a8bbee8ce68c8000024ae720a6a8a39a24642e5284d6e17efb58e120186e646c6e3fd95f6787107807ebeea1c069a45954028bfa

                                    • C:\Users\Admin\AppData\Local\Temp\Q0OtEA2Nz2i4.bat

                                      Filesize

                                      243B

                                      MD5

                                      193a61f864003fecb61245923f756e21

                                      SHA1

                                      52f9f1d6daba9d5dfbec37db2ce068f08ebf9889

                                      SHA256

                                      c007746a5af151b9c3afd49b050eb834963e5410af1c60892d5bc2c38660f75f

                                      SHA512

                                      2c9911ae44b75560be1e500b31b5648c7c89e7508eb29191f25a6d68568ab9c619006801acc446b9b0b9f72624e54e8545d96ba35be3efcc9b244269e41abf87

                                    • C:\Users\Admin\AppData\Local\Temp\VGkFQ4DeO5bT.bat

                                      Filesize

                                      243B

                                      MD5

                                      a5b16e3312e6b6e613c7f6d9ba1c272b

                                      SHA1

                                      c90aad3160e9e8d54a7556b43c6e472c46694537

                                      SHA256

                                      cdd9b986c709314ff208c2200762c06a3fb35ba8dc8411b7ba9da1eba06af173

                                      SHA512

                                      665846165bd573747580352af54c5cf22390562029ce58d5ac0c0ff63d787b0d67eb90913683d0c6a696f847ba6e3cce384bb2ad5661f670398fa00dd74adc4f

                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uzd5j4eu.520.ps1

                                      Filesize

                                      60B

                                      MD5

                                      d17fe0a3f47be24a6453e9ef58c94641

                                      SHA1

                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                      SHA256

                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                      SHA512

                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                    • C:\Users\Admin\AppData\Local\Temp\qRCs6zBFRRC8.bat

                                      Filesize

                                      243B

                                      MD5

                                      698fd8ff1bc97927977cae4eb8b86068

                                      SHA1

                                      274cef0cd4709020cb6133dd85aa812a19d6de7b

                                      SHA256

                                      3e51484ff6eb009781f28ce9e46b1089266352dbdd232149901bbf1af35973ba

                                      SHA512

                                      66b274377fb143097871a052ffadb4a3f0256a50e72e272d36aa5deb56e2434f13ccebd3b5e6c6c0f433619b45529ef30d98dadfa93cc64c471d2be8756fa0e8

                                    • memory/320-9-0x0000000008DE0000-0x0000000008E72000-memory.dmp

                                      Filesize

                                      584KB

                                    • memory/320-21-0x0000000075000000-0x00000000757B0000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/320-1-0x0000000000CF0000-0x0000000000F94000-memory.dmp

                                      Filesize

                                      2.6MB

                                    • memory/320-13-0x0000000008070000-0x000000000807A000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/320-5-0x0000000008530000-0x0000000008AD4000-memory.dmp

                                      Filesize

                                      5.6MB

                                    • memory/320-4-0x0000000007EA0000-0x0000000007F78000-memory.dmp

                                      Filesize

                                      864KB

                                    • memory/320-3-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/320-2-0x0000000005980000-0x0000000005A1C000-memory.dmp

                                      Filesize

                                      624KB

                                    • memory/320-0-0x0000000075000000-0x00000000757B0000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/392-133-0x00000000750A0000-0x0000000075850000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/1020-15-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/1020-20-0x0000000075000000-0x00000000757B0000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/1020-117-0x0000000075000000-0x00000000757B0000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/1020-16-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/1020-108-0x00000000074A0000-0x00000000074AE000-memory.dmp

                                      Filesize

                                      56KB

                                    • memory/1020-64-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/1020-91-0x0000000073AD0000-0x0000000073B1C000-memory.dmp

                                      Filesize

                                      304KB

                                    • memory/1020-102-0x000000007FCD0000-0x000000007FCE0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/1020-106-0x00000000074D0000-0x0000000007566000-memory.dmp

                                      Filesize

                                      600KB

                                    • memory/1020-103-0x0000000007890000-0x0000000007F0A000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/1896-123-0x0000000002A50000-0x0000000002A60000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/1896-122-0x00000000750A0000-0x0000000075850000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/1896-130-0x00000000750A0000-0x0000000075850000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/2360-125-0x00000000750A0000-0x0000000075850000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/2360-129-0x0000000002620000-0x0000000002630000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/2360-128-0x0000000002620000-0x0000000002630000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/2400-131-0x0000000002F90000-0x0000000002FA0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/2400-132-0x0000000002F90000-0x0000000002FA0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/3008-104-0x0000000006F70000-0x0000000006F8A000-memory.dmp

                                      Filesize

                                      104KB

                                    • memory/3008-63-0x00000000048C0000-0x00000000048D0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/3008-116-0x0000000075000000-0x00000000757B0000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/3008-110-0x00000000072C0000-0x00000000072DA000-memory.dmp

                                      Filesize

                                      104KB

                                    • memory/3008-7-0x0000000002320000-0x0000000002356000-memory.dmp

                                      Filesize

                                      216KB

                                    • memory/3008-8-0x0000000075000000-0x00000000757B0000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/3008-10-0x00000000048C0000-0x00000000048D0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/3008-28-0x0000000004E70000-0x0000000004E92000-memory.dmp

                                      Filesize

                                      136KB

                                    • memory/3008-48-0x00000000058B0000-0x0000000005C04000-memory.dmp

                                      Filesize

                                      3.3MB

                                    • memory/3008-60-0x0000000005C50000-0x0000000005C6E000-memory.dmp

                                      Filesize

                                      120KB

                                    • memory/3008-79-0x0000000006E30000-0x0000000006ED3000-memory.dmp

                                      Filesize

                                      652KB

                                    • memory/3008-81-0x00000000048C0000-0x00000000048D0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/3008-61-0x0000000005C90000-0x0000000005CDC000-memory.dmp

                                      Filesize

                                      304KB

                                    • memory/3008-111-0x00000000072B0000-0x00000000072B8000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/3008-65-0x0000000075000000-0x00000000757B0000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/3008-67-0x0000000073AD0000-0x0000000073B1C000-memory.dmp

                                      Filesize

                                      304KB

                                    • memory/3008-77-0x0000000006210000-0x000000000622E000-memory.dmp

                                      Filesize

                                      120KB

                                    • memory/3008-66-0x0000000006230000-0x0000000006262000-memory.dmp

                                      Filesize

                                      200KB

                                    • memory/3884-127-0x00000000053C0000-0x00000000053D0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/3884-124-0x00000000750A0000-0x0000000075850000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/3920-756-0x0000000000200000-0x0000000000200000-memory.dmp

                                    • memory/4064-105-0x0000000007290000-0x000000000729A000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/4064-107-0x0000000007420000-0x0000000007431000-memory.dmp

                                      Filesize

                                      68KB

                                    • memory/4064-92-0x0000000075000000-0x00000000757B0000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/4064-37-0x0000000005880000-0x00000000058E6000-memory.dmp

                                      Filesize

                                      408KB

                                    • memory/4064-35-0x0000000005810000-0x0000000005876000-memory.dmp

                                      Filesize

                                      408KB

                                    • memory/4064-78-0x000000007F4E0000-0x000000007F4F0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/4064-121-0x0000000075000000-0x00000000757B0000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/4064-80-0x0000000073AD0000-0x0000000073B1C000-memory.dmp

                                      Filesize

                                      304KB

                                    • memory/4064-11-0x0000000005090000-0x00000000056B8000-memory.dmp

                                      Filesize

                                      6.2MB

                                    • memory/4064-12-0x0000000075000000-0x00000000757B0000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/4064-109-0x0000000007460000-0x0000000007474000-memory.dmp

                                      Filesize

                                      80KB

                                    • memory/4064-17-0x00000000025F0000-0x0000000002600000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/4064-14-0x00000000025F0000-0x0000000002600000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/4724-59-0x0000000075000000-0x00000000757B0000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/4724-18-0x0000000000400000-0x0000000000484000-memory.dmp

                                      Filesize

                                      528KB

                                    • memory/4724-29-0x00000000058C0000-0x00000000058D0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/4724-27-0x0000000075000000-0x00000000757B0000-memory.dmp

                                      Filesize

                                      7.7MB