quasar | 812f2eb0ddd697fb459b8d5995315862bf1de986fc678bdb07acf91020a158a7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Size

750KB
MD5

3951a3346bf64f1a04c36e9c82da3a7e
SHA1

bc66506f01a1433ef1b8775967e37e471a8cbf4a
SHA256

812f2eb0ddd697fb459b8d5995315862bf1de986fc678bdb07acf91020a158a7
SHA512

2b76b7c99fc0f3fdb0b4aa0b7b915b79520d56ed43d1d5956ff71e884e5f3341557a9ae29ea72f343456deedb6ef79b0a4c475cef6236492de295e505b72bdad
SSDEEP

12288:B4dlopbvJCAijfHcGYE6KWzOZncIh6zEK54Vnbb6KhEtfXl9lXIfYUgWQbm:ByupLnijfDY/K1cIYJcnbb6KhEtfXl9e

Score

10^/10

quasar office04 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

sosomelaine.ddns.net:4782

Mutex

5aa8a922-9ddd-48c5-a7bc-b940d8e859d7

Attributes

encryption_key
27CFE7B11F37194DB24000D229CAEB3622E7CFCA
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\lr2SkiCj1SRN.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\YRoV1x8oFlXq.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\skDAtRkryNVW.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\3xEqJDgWHUQp.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\dwBSpB7xxOmC.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\uazV3aGxGAZ7.exe\",explorer.exe"	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\u4M6OphUQmtK.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\ZZHHTjuKKSqV.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\lr2SkiCj1SRN.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\YRoV1x8oFlXq.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\skDAtRkryNVW.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\3xEqJDgWHUQp.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\dwBSpB7xxOmC.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\uazV3aGxGAZ7.exe\",explorer.exe"	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\0AVxpWznqcaI.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\lF7BLZLnNxnq.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\rwCJCPU3SJ7L.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\u4M6OphUQmtK.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\ZZHHTjuKKSqV.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\lr2SkiCj1SRN.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\YRoV1x8oFlXq.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\skDAtRkryNVW.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\3xEqJDgWHUQp.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\dwBSpB7xxOmC.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\uazV3aGxGAZ7.exe\",explorer.exe"	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\dwBSpB7xxOmC.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\uazV3aGxGAZ7.exe\",explorer.exe"	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\3xEqJDgWHUQp.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\dwBSpB7xxOmC.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\uazV3aGxGAZ7.exe\",explorer.exe"	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\YRoV1x8oFlXq.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\skDAtRkryNVW.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\3xEqJDgWHUQp.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\dwBSpB7xxOmC.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\uazV3aGxGAZ7.exe\",explorer.exe"	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\rwCJCPU3SJ7L.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\u4M6OphUQmtK.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\ZZHHTjuKKSqV.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\lr2SkiCj1SRN.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\YRoV1x8oFlXq.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\skDAtRkryNVW.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\3xEqJDgWHUQp.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\dwBSpB7xxOmC.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\uazV3aGxGAZ7.exe\",explorer.exe"	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\lF7BLZLnNxnq.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\rwCJCPU3SJ7L.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\u4M6OphUQmtK.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\ZZHHTjuKKSqV.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\lr2SkiCj1SRN.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\YRoV1x8oFlXq.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\skDAtRkryNVW.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\3xEqJDgWHUQp.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\dwBSpB7xxOmC.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\uazV3aGxGAZ7.exe\",explorer.exe"	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\uazV3aGxGAZ7.exe\",explorer.exe"	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\skDAtRkryNVW.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\3xEqJDgWHUQp.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\dwBSpB7xxOmC.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\uazV3aGxGAZ7.exe\",explorer.exe"	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\ZZHHTjuKKSqV.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\lr2SkiCj1SRN.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\YRoV1x8oFlXq.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\skDAtRkryNVW.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\3xEqJDgWHUQp.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\dwBSpB7xxOmC.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\m0GHpscp92w7BRTe\\uazV3aGxGAZ7.exe\",explorer.exe"	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1868-9-0x0000000006B50000-0x0000000006BD4000-memory.dmp	family_quasar
behavioral2/memory/2424-10-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

description	pid	process	target process
PID 1868 set thread context of 2424	1868	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 804 set thread context of 216	804	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 set thread context of 4148	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1872 set thread context of 1780	1872	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 2344 set thread context of 3508	2344	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 2988 set thread context of 912	2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 3616 set thread context of 2796	3616	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 452 set thread context of 1464	452	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 4492 set thread context of 2644	4492	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 4172 set thread context of 428	4172	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 4900 set thread context of 1920	4900	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4884 PING.EXE
928 PING.EXE
3776 PING.EXE
4428 PING.EXE
1048 PING.EXE
2792 PING.EXE
3748 PING.EXE
2668 PING.EXE
1544 PING.EXE
3500 PING.EXE
4968 PING.EXE

pid	process
4884	PING.EXE
928	PING.EXE
3776	PING.EXE
4428	PING.EXE
1048	PING.EXE
2792	PING.EXE
3748	PING.EXE
2668	PING.EXE
1544	PING.EXE
3500	PING.EXE
4968	PING.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

pid	process
1868	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1868	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
804	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
804	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1872	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1872	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2344	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2344	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2344	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2344	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2344	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2344	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
3616	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
3616	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
452	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
452	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4492	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4492	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4492	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4492	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4492	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4492	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4172	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4172	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4900	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4900	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4900	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4900	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4900	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4900	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1868	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	1868	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	2424	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	804	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	804	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	216	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	4148	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	1872	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	1872	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	1780	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	2344	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	2344	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	3508	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	2988	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	912	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	3616	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	3616	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	2796	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	452	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	452	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	1464	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	4492	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	4492	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	2644	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	4172	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	4172	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	428	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	4900	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	4900	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
Token: SeDebugPrivilege	1920	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

pid	process
2424	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
216	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4148	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1780	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
3508	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
912	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2796	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1464	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2644	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
428	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1920	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

pid	process
2424	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
216	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
4148	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1780	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
3508	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
912	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2796	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1464	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
2644	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
428	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
1920	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.execmd.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.execmd.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1868 wrote to memory of 2424	1868	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1868 wrote to memory of 2424	1868	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1868 wrote to memory of 2424	1868	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1868 wrote to memory of 2424	1868	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1868 wrote to memory of 2424	1868	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1868 wrote to memory of 2424	1868	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1868 wrote to memory of 2424	1868	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1868 wrote to memory of 2424	1868	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 2424 wrote to memory of 512	2424	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	cmd.exe
PID 2424 wrote to memory of 512	2424	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	cmd.exe
PID 2424 wrote to memory of 512	2424	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	cmd.exe
PID 512 wrote to memory of 948	512	cmd.exe	chcp.com
PID 512 wrote to memory of 948	512	cmd.exe	chcp.com
PID 512 wrote to memory of 948	512	cmd.exe	chcp.com
PID 512 wrote to memory of 4884	512	cmd.exe	PING.EXE
PID 512 wrote to memory of 4884	512	cmd.exe	PING.EXE
PID 512 wrote to memory of 4884	512	cmd.exe	PING.EXE
PID 512 wrote to memory of 804	512	cmd.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 512 wrote to memory of 804	512	cmd.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 512 wrote to memory of 804	512	cmd.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 804 wrote to memory of 216	804	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 804 wrote to memory of 216	804	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 804 wrote to memory of 216	804	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 804 wrote to memory of 216	804	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 804 wrote to memory of 216	804	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 804 wrote to memory of 216	804	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 804 wrote to memory of 216	804	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 804 wrote to memory of 216	804	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 216 wrote to memory of 3936	216	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	cmd.exe
PID 216 wrote to memory of 3936	216	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	cmd.exe
PID 216 wrote to memory of 3936	216	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	cmd.exe
PID 3936 wrote to memory of 5068	3936	cmd.exe	chcp.com
PID 3936 wrote to memory of 5068	3936	cmd.exe	chcp.com
PID 3936 wrote to memory of 5068	3936	cmd.exe	chcp.com
PID 3936 wrote to memory of 928	3936	cmd.exe	PING.EXE
PID 3936 wrote to memory of 928	3936	cmd.exe	PING.EXE
PID 3936 wrote to memory of 928	3936	cmd.exe	PING.EXE
PID 3936 wrote to memory of 1724	3936	cmd.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 3936 wrote to memory of 1724	3936	cmd.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 3936 wrote to memory of 1724	3936	cmd.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 2224	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 2224	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 2224	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 640	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 640	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 640	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 3120	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 3120	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 3120	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 4148	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 4148	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 4148	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 4148	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 4148	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 4148	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 4148	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 1724 wrote to memory of 4148	1724	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
PID 4148 wrote to memory of 4656	4148	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	cmd.exe
PID 4148 wrote to memory of 4656	4148	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	cmd.exe
PID 4148 wrote to memory of 4656	4148	3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe	cmd.exe
PID 4656 wrote to memory of 2836	4656	cmd.exe	chcp.com
PID 4656 wrote to memory of 2836	4656	cmd.exe	chcp.com
PID 4656 wrote to memory of 2836	4656	cmd.exe	chcp.com
PID 4656 wrote to memory of 3776	4656	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Smns7nkqD580.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:948

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4884

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
4⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4nftfp4yHXWk.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:5068

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:928

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
7⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
8⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
8⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
8⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
8⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUhpNQWIVtMr.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:2836

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:3776

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
10⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M4sntTeqjyuv.bat" "
12⤵
PID:4392

C:\Windows\SysWOW64\chcp.com
chcp 65001
13⤵
PID:2468

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:3748

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
13⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
14⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
14⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w14neEeXfybs.bat" "
15⤵
PID:2056

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:816

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4428

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
16⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
17⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
17⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
17⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
17⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qklPHShabF2L.bat" "
18⤵
PID:3248

C:\Windows\SysWOW64\chcp.com
chcp 65001
19⤵
PID:2824

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
19⤵
- Runs ping.exe
PID:2668

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
19⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
20⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\InwxBzYluLgA.bat" "
21⤵
PID:1144

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:1584

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1048

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
22⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
23⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgwv7UgqErnT.bat" "
24⤵
PID:3776

C:\Windows\SysWOW64\chcp.com
chcp 65001
25⤵
PID:1584

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
25⤵
- Runs ping.exe
PID:1544

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
25⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
26⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
26⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkZx1VkZfdMg.bat" "
27⤵
PID:4720

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:2580

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3500

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
28⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
29⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISzXoLql2bJa.bat" "
30⤵
PID:1176

C:\Windows\SysWOW64\chcp.com
chcp 65001
31⤵
PID:3016

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
31⤵
- Runs ping.exe
PID:2792

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
31⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
32⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe"
32⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COScABBwVyfQ.bat" "
33⤵
PID:4556

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:3692

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3951a3346bf64f1a04c36e9c82da3a7e_JaffaCakes118.exe.log

Filesize
1KB

MD5
38b07cd5da5c740e9629fd801dc26e5a

SHA1
42816159ab9367165cf58603b09b134d488c1690

SHA256
20049cc7ade63a31f442dfd2b99740f0512fdcc764266b8b105292e30d2b7483

SHA512
1769ffefe181531476e10311295f38d11b85b5ec3710000b5cb081675e5f233792f96bb4178b75fd0e2cfc86965e7368173d22799a1e9fa3317ddd49047fab5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4nftfp4yHXWk.bat

Filesize
243B

MD5
ca4ce6fcc35ebf1cbd1e16113c2eee1d

SHA1
1e0efefe37a7d4a75033116a1f29340d6c9dbc6f

SHA256
b320a61b5157d22b5d015aadcfbd5bbf4d704bb44592190e5da8bc8470351de6

SHA512
a1265351d6aed66e795078262ec8fc4b76d2ce2fe6a53d62d302fbe95ff79f7a3ed3c3262ebc4bc8f194f8621f3801018651f9051ec081d8b238e8955286496b

Download Submit
C:\Users\Admin\AppData\Local\Temp\COScABBwVyfQ.bat

Filesize
243B

MD5
502091763e143dd5d28b87b0d099a241

SHA1
8a4b86881c933d8857d86e1630fbb15e16a8bce7

SHA256
249b3a8f338b43996dd3f9e20265f2f1f2c32336df33afa0d83312eae4acf8b3

SHA512
010566b2cce20110488b136a238108b4ce9057d62075f672a7b5bc9ca169e4430212b0ba17c3f9d6e57ebca200b4af8556a496be7e98eb874b7057137bd0ec77

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkZx1VkZfdMg.bat

Filesize
243B

MD5
ace0dca3dbcef18560d31c7698a68a89

SHA1
b0e3e59d7097ec621a5fb0bda3468e44f1623813

SHA256
5fdc4019e98a169a582e3a68dbf8d57c11522a3e7819f86d3415741699eb1d0e

SHA512
1dd33e6326ab48754dc41a9fec1de4040170a62ff671905d46a1e204704bdb6975b53a9095fa4136f94f6ad8f23d982b39ae7db94509ab056ccd45e0215794d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISzXoLql2bJa.bat

Filesize
243B

MD5
7b58a08d61123aa0a567d15fb2d25408

SHA1
a7900db4161bbea84892f546ca766f705e538efa

SHA256
c1eed481eacc61de849060a7ae4dbcc5e1e474a14564793b8c0b03ae13113cd1

SHA512
b8d23695a14229b4b85828f7a456c7b9ecb7d50de12a35d19785b2f69bee0b144d1555caa7f68f5adf91779d83a14afd3400db68bdaacb27ef49084270767f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\InwxBzYluLgA.bat

Filesize
243B

MD5
e3c149a635d41da9bbea07c44b5a07e2

SHA1
ab915b5ff70dd43cf4c1ddd42b3cc52e24ca618b

SHA256
dbf5b436f9546d6f0c39bd7ee16479036c353a3bd0efca84f7429ac0ed3cc45d

SHA512
2e5aac5f9e0acf3cd8cfcb71db57022e22fc9048b39d4dab529c495ef528e3e3fa40637a1bb0937a3bf01e70240801e69fb47cfec52dc4ad16c2f482bdc9f740

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUhpNQWIVtMr.bat

Filesize
243B

MD5
7be09e0e80696c3dd3ba8e2c187d8b09

SHA1
ff36ce2bc8bdaa193ead09f7f298516949656588

SHA256
9e38583b5b9d4df43e195ea2bb4f9c5797c8c759542035fe732824ad17e7f7cc

SHA512
3c00d09960962a3fedfeed2ed832619cffe660eb5d3bd57ed10711fc69e3f75dad0ed0a6ba439b6d3674db80cd230f7833dae27710e17eb3e420d4a56ed0d275

Download Submit
C:\Users\Admin\AppData\Local\Temp\M4sntTeqjyuv.bat

Filesize
243B

MD5
124da0722e3798dea98d1912b17d9a44

SHA1
c9ad6ac7d18c08ddaaa66abd4dce0bf754297721

SHA256
9471c5d10c37e38848f78a08803037595c5d93b0fa8ba4aee86b368bc09da66e

SHA512
775368f1aea9dd97d53e11e8f59730f80436efb7fd92c70d33501fcc724f4bf4f0dd6c80812dca6d553d5ec6d03306bab36a813460eae28e48493fcd8d967739

Download Submit
C:\Users\Admin\AppData\Local\Temp\Smns7nkqD580.bat

Filesize
243B

MD5
6ed956959cfdb0342401eb1007a79be2

SHA1
ed015baa6292d63c620911fc228dc7848a5cf78e

SHA256
6adb2e66c9402aea8588c7cab4521eee94621dd26f370c8654427b8a5f0e0d32

SHA512
52676c7ea1d97db90a1f86bf0d4b98380950f66c29ee9511120672ab78cfbcacfbd80f7551e8fb0ac94c5d084f66aede0b8dd223f637dfb23c5d90b85280cdc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgwv7UgqErnT.bat

Filesize
243B

MD5
78d64b60dfbdbdcd0caceaba1e36f069

SHA1
a80b8d75134bab4b5d3e7972d16ac318d48660b4

SHA256
b68b88ff95495d890ee8146fbb5bec91baec24fac3183f07462194f54b8018b4

SHA512
863750e6e29b38de0f0f05f5f5a15174d07380224a2646711fee342cf1f018f4796b070914b2ced7a51705c333c730a2a77de8ec2ece8c047152e9725938c5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qklPHShabF2L.bat

Filesize
243B

MD5
9634acef65ba8db4ed6736037d4a5187

SHA1
c3717478acd31344e47e7f668aee814238eed5ed

SHA256
7903c9b2ca0d34b3ae4d389b9b82d5ef11879bf215e756bb744f05e0b8c43e23

SHA512
66b06d983bf12dada2df5992d7878f74004e1f634b956b59838ae8f2b0ebd49a10acacc31e3234630483746301e0e4357bc850227a38dd80870a668b2894afd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\w14neEeXfybs.bat

Filesize
243B

MD5
8035426d22ffac1c811b269cb1724f42

SHA1
ba91e5d956f0a89dfc634ccf47e47a13372ce132

SHA256
1f590e992fae3efcc3178e78c91fc1c63f907441493443c3844994d3abc7cbd7

SHA512
42f38a7df5370543eb5b09e8dcca832d7419b681fd86749fe759fa6a1351444d343ad0052c03a690a38c187c5b8b219a1ba9e4538a0406b421039eb64f523854

Download Submit
C:\Users\Admin\AppData\Roaming\m0GHpscp92w7BRTe\dwBSpB7xxOmC.exe

Filesize
750KB

MD5
3951a3346bf64f1a04c36e9c82da3a7e

SHA1
bc66506f01a1433ef1b8775967e37e471a8cbf4a

SHA256
812f2eb0ddd697fb459b8d5995315862bf1de986fc678bdb07acf91020a158a7

SHA512
2b76b7c99fc0f3fdb0b4aa0b7b915b79520d56ed43d1d5956ff71e884e5f3341557a9ae29ea72f343456deedb6ef79b0a4c475cef6236492de295e505b72bdad

Download Submit
memory/1868-9-0x0000000006B50000-0x0000000006BD4000-memory.dmp

Filesize
528KB

Download
memory/1868-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/1868-1-0x0000000000BD0000-0x0000000000C92000-memory.dmp

Filesize
776KB

Download
memory/1868-2-0x0000000005C90000-0x0000000006234000-memory.dmp

Filesize
5.6MB

Download
memory/1868-24-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/1868-3-0x00000000056E0000-0x0000000005772000-memory.dmp

Filesize
584KB

Download
memory/1868-4-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/1868-33-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/1868-5-0x0000000005660000-0x000000000566A000-memory.dmp

Filesize
40KB

Download
memory/1868-6-0x0000000005080000-0x00000000050D6000-memory.dmp

Filesize
344KB

Download
memory/2424-14-0x0000000006F40000-0x0000000007558000-memory.dmp

Filesize
6.1MB

Download
memory/2424-10-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2424-12-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/2424-13-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/2424-21-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/2424-15-0x00000000069F0000-0x0000000006A40000-memory.dmp

Filesize
320KB

Download
memory/2424-16-0x0000000006C60000-0x0000000006D12000-memory.dmp

Filesize
712KB

Download
memory/4172-90-0x00000000059C0000-0x0000000005A16000-memory.dmp

Filesize
344KB

Download