quasar | 9aab35f222f2953738e83432940f14af4e12e72a741f80fa5dec7d0197ed6e7a

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe
Size

718KB
MD5

8c48c8c45d7f3bdd3c888a1c75fa9b27
SHA1

1d212ea492feb0c4695745d51ac0ac2e9fb7b2b5
SHA256

9aab35f222f2953738e83432940f14af4e12e72a741f80fa5dec7d0197ed6e7a
SHA512

f2a4a77bdb4a3ce39eda27121dfe01f71f91cd3d89b52098c71140fa89b3b89259a9c5e3323953ac332d42af2df1ef0eebe9801a25749b4965bf635c1a841deb
SSDEEP

12288:XEv8FVujUpVTWgThfJ614X5p/iYHI0Oq8M0oko8ZiFhDF8KSpTTj/XL817n3WGhs:XEEbuQ9WmD1HITPTnXL81LDhhWeOqJEx

Score

10^/10

quasar svchost spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

svchost

scvhosts.duckdns.org:1604

Mutex

QSR_MUTEX_InsAUB54MmLlzTys9a

Attributes

encryption_key
pOXtQTNjkHXEe8G4lu1f
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Svchost
subdirectory
svchost

Signatures

Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

flow ioc

7 ip-api.com
49 ip-api.com
67 ip-api.com
4888 schtasks.exe

flow	ioc
7	ip-api.com
49	ip-api.com
67	ip-api.com
4888	schtasks.exe

Quasar payload 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5064-10-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/5064-8-0x0000000000900000-0x000000000095E000-memory.dmp	family_quasar
behavioral2/memory/5064-7-0x0000000000900000-0x000000000095E000-memory.dmp	family_quasar
behavioral2/memory/5064-6-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/5064-4-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/5064-23-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/5064-34-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/2732-43-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/2732-57-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/2732-56-0x0000000000E20000-0x0000000000E7E000-memory.dmp	family_quasar
behavioral2/memory/4628-85-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/4628-84-0x0000000000D50000-0x0000000000DAE000-memory.dmp	family_quasar
behavioral2/memory/4436-100-0x0000000000D50000-0x0000000000DAE000-memory.dmp	family_quasar
behavioral2/memory/4436-111-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/2924-125-0x0000000000E20000-0x0000000000E7E000-memory.dmp	family_quasar
behavioral2/memory/2924-127-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/2924-146-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/2948-159-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/2948-171-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/4424-180-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/4424-197-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/5012-205-0x0000000000F50000-0x0000000000FAE000-memory.dmp	family_quasar
behavioral2/memory/5012-222-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/2204-241-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/3656-275-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/4464-292-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/4464-302-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/3040-320-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/4940-346-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/4864-372-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/4864-381-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/4032-389-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar
behavioral2/memory/4032-408-0x0000000000400000-0x00000000004C8000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 28 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
4652	svchost.exe
2732	svchost.exe
2016	svchost.exe
4628	svchost.exe
3980	svchost.exe
4436	svchost.exe
4652	svchost.exe
2924	svchost.exe
3252	svchost.exe
2948	svchost.exe
4352	svchost.exe
4424	svchost.exe
2676	svchost.exe
5012	svchost.exe
2836	svchost.exe
2204	svchost.exe
2560	svchost.exe
3656	svchost.exe
1780	svchost.exe
4464	svchost.exe
4888	svchost.exe
3040	svchost.exe
1812	svchost.exe
4940	svchost.exe
2660	svchost.exe
4864	svchost.exe
1244	svchost.exe
4032	svchost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5064-1-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/5064-3-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/5064-10-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/5064-6-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/5064-4-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/2732-43-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/2924-127-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/2948-159-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/4424-180-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/4032-389-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
49 ip-api.com
67 ip-api.com

flow	ioc
7	ip-api.com
49	ip-api.com
67	ip-api.com

Drops file in System32 directory 30 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exe8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\svchost\svchost.exe	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost.exe

Suspicious use of SetThreadContext 15 IoCs

Processes:

8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 4236 set thread context of 5064	4236	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe
PID 4652 set thread context of 2732	4652	svchost.exe	svchost.exe
PID 2016 set thread context of 4628	2016	svchost.exe	svchost.exe
PID 3980 set thread context of 4436	3980	svchost.exe	svchost.exe
PID 4652 set thread context of 2924	4652	svchost.exe	svchost.exe
PID 3252 set thread context of 2948	3252	svchost.exe	svchost.exe
PID 4352 set thread context of 4424	4352	svchost.exe	svchost.exe
PID 2676 set thread context of 5012	2676	svchost.exe	svchost.exe
PID 2836 set thread context of 2204	2836	svchost.exe	svchost.exe
PID 2560 set thread context of 3656	2560	svchost.exe	svchost.exe
PID 1780 set thread context of 4464	1780	svchost.exe	svchost.exe
PID 4888 set thread context of 3040	4888	svchost.exe	svchost.exe
PID 1812 set thread context of 4940	1812	svchost.exe	svchost.exe
PID 2660 set thread context of 4864	2660	svchost.exe	svchost.exe
PID 1244 set thread context of 4032	1244	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4472	2732	WerFault.exe	svchost.exe
3656	4628	WerFault.exe	svchost.exe
3580	4436	WerFault.exe	svchost.exe
3776	2924	WerFault.exe	svchost.exe
3984	2948	WerFault.exe	svchost.exe
4004	4424	WerFault.exe	svchost.exe
3272	5012	WerFault.exe	svchost.exe
2980	2204	WerFault.exe	svchost.exe
3104	3656	WerFault.exe	svchost.exe
1588	4464	WerFault.exe	svchost.exe
888	3040	WerFault.exe	svchost.exe
5004	4940	WerFault.exe	svchost.exe
4176	4864	WerFault.exe	svchost.exe
4144	4032	WerFault.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1384	schtasks.exe
4296	schtasks.exe
1504	schtasks.exe
4840	schtasks.exe
2396	schtasks.exe
3176	schtasks.exe
2372	schtasks.exe
2088	schtasks.exe
4512	schtasks.exe
3008	schtasks.exe
2736	schtasks.exe
2792	schtasks.exe
4888	schtasks.exe
4664	schtasks.exe
684	schtasks.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
820	PING.EXE
2456	PING.EXE
3340	PING.EXE
4416	PING.EXE
4432	PING.EXE
3304	PING.EXE
4180	PING.EXE
2932	PING.EXE
2360	PING.EXE
4604	PING.EXE
4456	PING.EXE
1388	PING.EXE
3180	PING.EXE
992	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

pid	process
4236	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe
4236	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe
4652	svchost.exe
4652	svchost.exe
2016	svchost.exe
2016	svchost.exe
3980	svchost.exe
3980	svchost.exe
4652	svchost.exe
4652	svchost.exe
3252	svchost.exe
3252	svchost.exe
4352	svchost.exe
4352	svchost.exe
2676	svchost.exe
2676	svchost.exe
2836	svchost.exe
2836	svchost.exe
2560	svchost.exe
2560	svchost.exe
1780	svchost.exe
1780	svchost.exe
4888	svchost.exe
4888	svchost.exe
1812	svchost.exe
1812	svchost.exe
2660	svchost.exe
2660	svchost.exe
1244	svchost.exe
1244	svchost.exe

Suspicious behavior: MapViewOfSection 15 IoCs

Processes:

pid	process
4236	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe
4652	svchost.exe
2016	svchost.exe
3980	svchost.exe
4652	svchost.exe
3252	svchost.exe
4352	svchost.exe
2676	svchost.exe
2836	svchost.exe
2560	svchost.exe
1780	svchost.exe
4888	svchost.exe
1812	svchost.exe
2660	svchost.exe
1244	svchost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	5064	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe
Token: SeDebugPrivilege	2732	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4436	svchost.exe
Token: SeDebugPrivilege	2924	svchost.exe
Token: SeDebugPrivilege	2948	svchost.exe
Token: SeDebugPrivilege	4424	svchost.exe
Token: SeDebugPrivilege	5012	svchost.exe
Token: SeDebugPrivilege	2204	svchost.exe
Token: SeDebugPrivilege	3656	svchost.exe
Token: SeDebugPrivilege	4464	svchost.exe
Token: SeDebugPrivilege	3040	svchost.exe
Token: SeDebugPrivilege	4940	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4032	svchost.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2732	svchost.exe
4628	svchost.exe
4436	svchost.exe
2924	svchost.exe
2948	svchost.exe
4424	svchost.exe
5012	svchost.exe
2204	svchost.exe
3656	svchost.exe
4464	svchost.exe
3040	svchost.exe
4940	svchost.exe
4864	svchost.exe
4032	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exesvchost.exesvchost.execmd.exesvchost.exesvchost.execmd.exesvchost.exesvchost.execmd.exesvchost.exe

description	pid	process	target process
PID 4236 wrote to memory of 5064	4236	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe
PID 4236 wrote to memory of 5064	4236	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe
PID 4236 wrote to memory of 5064	4236	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe
PID 5064 wrote to memory of 4888	5064	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe	schtasks.exe
PID 5064 wrote to memory of 4888	5064	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe	schtasks.exe
PID 5064 wrote to memory of 4888	5064	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe	schtasks.exe
PID 5064 wrote to memory of 4652	5064	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe	svchost.exe
PID 5064 wrote to memory of 4652	5064	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe	svchost.exe
PID 5064 wrote to memory of 4652	5064	8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe	svchost.exe
PID 4652 wrote to memory of 2732	4652	svchost.exe	svchost.exe
PID 4652 wrote to memory of 2732	4652	svchost.exe	svchost.exe
PID 4652 wrote to memory of 2732	4652	svchost.exe	svchost.exe
PID 2732 wrote to memory of 1504	2732	svchost.exe	schtasks.exe
PID 2732 wrote to memory of 1504	2732	svchost.exe	schtasks.exe
PID 2732 wrote to memory of 1504	2732	svchost.exe	schtasks.exe
PID 2732 wrote to memory of 752	2732	svchost.exe	cmd.exe
PID 2732 wrote to memory of 752	2732	svchost.exe	cmd.exe
PID 2732 wrote to memory of 752	2732	svchost.exe	cmd.exe
PID 752 wrote to memory of 772	752	cmd.exe	chcp.com
PID 752 wrote to memory of 772	752	cmd.exe	chcp.com
PID 752 wrote to memory of 772	752	cmd.exe	chcp.com
PID 752 wrote to memory of 4604	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 4604	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 4604	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 2016	752	cmd.exe	svchost.exe
PID 752 wrote to memory of 2016	752	cmd.exe	svchost.exe
PID 752 wrote to memory of 2016	752	cmd.exe	svchost.exe
PID 2016 wrote to memory of 4628	2016	svchost.exe	svchost.exe
PID 2016 wrote to memory of 4628	2016	svchost.exe	svchost.exe
PID 2016 wrote to memory of 4628	2016	svchost.exe	svchost.exe
PID 4628 wrote to memory of 4840	4628	svchost.exe	schtasks.exe
PID 4628 wrote to memory of 4840	4628	svchost.exe	schtasks.exe
PID 4628 wrote to memory of 4840	4628	svchost.exe	schtasks.exe
PID 4628 wrote to memory of 3108	4628	svchost.exe	cmd.exe
PID 4628 wrote to memory of 3108	4628	svchost.exe	cmd.exe
PID 4628 wrote to memory of 3108	4628	svchost.exe	cmd.exe
PID 3108 wrote to memory of 3472	3108	cmd.exe	chcp.com
PID 3108 wrote to memory of 3472	3108	cmd.exe	chcp.com
PID 3108 wrote to memory of 3472	3108	cmd.exe	chcp.com
PID 3108 wrote to memory of 3304	3108	cmd.exe	PING.EXE
PID 3108 wrote to memory of 3304	3108	cmd.exe	PING.EXE
PID 3108 wrote to memory of 3304	3108	cmd.exe	PING.EXE
PID 3108 wrote to memory of 3980	3108	cmd.exe	svchost.exe
PID 3108 wrote to memory of 3980	3108	cmd.exe	svchost.exe
PID 3108 wrote to memory of 3980	3108	cmd.exe	svchost.exe
PID 3980 wrote to memory of 4436	3980	svchost.exe	svchost.exe
PID 3980 wrote to memory of 4436	3980	svchost.exe	svchost.exe
PID 3980 wrote to memory of 4436	3980	svchost.exe	svchost.exe
PID 4436 wrote to memory of 2372	4436	svchost.exe	schtasks.exe
PID 4436 wrote to memory of 2372	4436	svchost.exe	schtasks.exe
PID 4436 wrote to memory of 2372	4436	svchost.exe	schtasks.exe
PID 4436 wrote to memory of 1556	4436	svchost.exe	cmd.exe
PID 4436 wrote to memory of 1556	4436	svchost.exe	cmd.exe
PID 4436 wrote to memory of 1556	4436	svchost.exe	cmd.exe
PID 1556 wrote to memory of 2644	1556	cmd.exe	chcp.com
PID 1556 wrote to memory of 2644	1556	cmd.exe	chcp.com
PID 1556 wrote to memory of 2644	1556	cmd.exe	chcp.com
PID 1556 wrote to memory of 1388	1556	cmd.exe	PING.EXE
PID 1556 wrote to memory of 1388	1556	cmd.exe	PING.EXE
PID 1556 wrote to memory of 1388	1556	cmd.exe	PING.EXE
PID 1556 wrote to memory of 4652	1556	cmd.exe	svchost.exe
PID 1556 wrote to memory of 4652	1556	cmd.exe	svchost.exe
PID 1556 wrote to memory of 4652	1556	cmd.exe	svchost.exe
PID 4652 wrote to memory of 2924	4652	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Admin\AppData\Local\Temp\8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe" /rl HIGHEST /f
3⤵
- Quasar RAT
- Creates scheduled task(s)
PID:4888

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fBB32Pg0Z84v.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:772

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4604

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wXyBVuBeMdlo.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\chcp.com
chcp 65001
9⤵
PID:3472

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:3304

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c8q3rmnBFtnf.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:2644

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1388

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
14⤵
- Creates scheduled task(s)
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7GrQwQfSKfWU.bat" "
14⤵
PID:4044

C:\Windows\SysWOW64\chcp.com
chcp 65001
15⤵
PID:3996

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:4180

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3252

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKx0wbMGUMHc.bat" "
17⤵
PID:4776

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3656

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3180

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4352

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4424

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
20⤵
- Creates scheduled task(s)
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MRyh3gbs3aCO.bat" "
20⤵
PID:4392

C:\Windows\SysWOW64\chcp.com
chcp 65001
21⤵
PID:2484

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
21⤵
- Runs ping.exe
PID:2932

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2676

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tV4H3sHhDHxX.bat" "
23⤵
PID:3736

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:1240

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:992

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2836

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
26⤵
- Creates scheduled task(s)
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ubybqn8ptlPa.bat" "
26⤵
PID:528

C:\Windows\SysWOW64\chcp.com
chcp 65001
27⤵
PID:4276

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
27⤵
- Runs ping.exe
PID:820

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2560

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwljJIdUgH6T.bat" "
29⤵
PID:4032

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:3624

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:2456

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
30⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1780

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4464

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
32⤵
- Creates scheduled task(s)
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4rRBQB5zadLp.bat" "
32⤵
PID:5028

C:\Windows\SysWOW64\chcp.com
chcp 65001
33⤵
PID:2372

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
33⤵
- Runs ping.exe
PID:4456

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4888

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3040

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ZnPYtlOp8un.bat" "
35⤵
PID:4572

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:4552

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:3340

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
36⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1812

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
38⤵
- Creates scheduled task(s)
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piRZFSKcQyEN.bat" "
38⤵
PID:428

C:\Windows\SysWOW64\chcp.com
chcp 65001
39⤵
PID:1200

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
39⤵
- Runs ping.exe
PID:4416

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2660

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaCvFTELvnJ7.bat" "
41⤵
PID:2712

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:3020

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:2360

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
42⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1244

C:\Windows\SysWOW64\svchost\svchost.exe
"C:\Windows\SysWOW64\svchost\svchost.exe"
43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchost.exe" /rl HIGHEST /f
44⤵
- Creates scheduled task(s)
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaYzMSZOfaOg.bat" "
44⤵
PID:544

C:\Windows\SysWOW64\chcp.com
chcp 65001
45⤵
PID:1276

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
45⤵
- Runs ping.exe
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 2228
44⤵
- Program crash
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1720
41⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 2220
38⤵
- Program crash
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 2228
35⤵
- Program crash
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 2240
32⤵
- Program crash
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 2252
29⤵
- Program crash
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 2224
26⤵
- Program crash
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 2252
23⤵
- Program crash
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 2256
20⤵
- Program crash
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 2216
17⤵
- Program crash
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 2224
14⤵
- Program crash
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 2220
11⤵
- Program crash
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 2208
8⤵
- Program crash
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 2224
5⤵
- Program crash
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2732 -ip 2732
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4628 -ip 4628
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4436 -ip 4436
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2924 -ip 2924
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2948 -ip 2948
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4424 -ip 4424
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5012 -ip 5012
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2204 -ip 2204
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3656 -ip 3656
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4464 -ip 4464
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3040 -ip 3040
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4940 -ip 4940
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4864 -ip 4864
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4032 -ip 4032
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ZnPYtlOp8un.bat

Filesize
198B

MD5
59c1253ae598e2d51024e6a573e73d9a

SHA1
800b87fcf9bcb032e6489399de3fe4cc481a02de

SHA256
26f253063fc6d81dc3c9f5cacc7b6f21360193df00ee6fbb5523f9c9562ee733

SHA512
d7376ad768a9cb2456d954394b06494d8ab21bd573ca5701b466cc13eda53c33a841ca9a3f26291518bc4c2ec8d9131b3957aa5d9d7ba76df4383799c2193fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4rRBQB5zadLp.bat

Filesize
198B

MD5
033dfdef48ac1f342770516f52ff684f

SHA1
0bb39fc7ae902eea58f58ec74aabb4f9327e5337

SHA256
f7d2dc5093af532eed366e7f090006309e62c21b776070777aa3ce3b948f1c9a

SHA512
1c085bda23de3280222f4f9ded14410d27473110d9d7b7d94802ae25f49d3874e34f57d8275d9395d599cbfcbd0933f628ca05d5397281c107b0891217bdd373

Download Submit
C:\Users\Admin\AppData\Local\Temp\7GrQwQfSKfWU.bat

Filesize
198B

MD5
28d0bbd6310fb10b4f25b33d5f1aa760

SHA1
5c181ce0b9b5afa0a73431a376e80ef73d4df037

SHA256
b34fc12604c4f4b96f5c30aaa463f7822c9171035bce5cb6e9faff41ae47d704

SHA512
a1e1cf9d405f8133125223a4e4fbd16f7071eb89564e3b04c0b824c676199f7d845cee1c42ff0d9dd47f6a12bf5bbc67e6c6edeb0f316ac79b5861b0663b8300

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRyh3gbs3aCO.bat

Filesize
198B

MD5
a8edd8291d80cf845aa352aa392fcc48

SHA1
e21329505ddc1b9e2cb5463bf74572fa4c683079

SHA256
9328d91a78961dc8b79cdbf23c391d7339b42e3ee844ad0d3eab0694b8dbbf74

SHA512
5cba80b4353f22bb625381e9e7b348c754e05b91f5d8596a5c02e219f569e99a4945355f87b615e13d3f76ec63dca9c8830498740cd7b008188c444b716b2e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UaYzMSZOfaOg.bat

Filesize
198B

MD5
a8d1d18b7eb66fde72fc0e0f409d86ac

SHA1
32c5d25090e181e924d56d0c9c7820388a494437

SHA256
083cb84c57c0cba6e7a3e2d30e3e14f6aca0396b78e731eed57bad81aba838ff

SHA512
f1f524e4500ee786da3d52d7f786535f4e4696e7a2a5e5209f3315e9ce4efcd3ee728d9d86685a32568612c53dfb04eaa87b782823b175ffcc7bdde108bd36e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ubybqn8ptlPa.bat

Filesize
198B

MD5
9332481697229b7e134cd87f59af39d5

SHA1
2feddd805f547779613610a0e5955a854e5573b9

SHA256
6fab2f6f90cab5e0e7d027587284f06e7a14167ad22bb4794570b15526f3f3c4

SHA512
db0aa29afca8ad0242b8b684b31e9a6fd35b24b8c22e30c6157e44ebe650d8f49ee310123a4c6bf2578333b7655c83516549fca34b41f0fcccd2dffeac19da81

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8q3rmnBFtnf.bat

Filesize
198B

MD5
0bed3259d73c7d3fe2e25690eaa06baf

SHA1
56a144318231d47580b5e4a5745729b5499b45c7

SHA256
d5cdb86b2741840118583ed3efde8cfba977bcb5e6c6cd59f68bb6ba0f7671a6

SHA512
49fead76bd79d6d00d42562d2a9b6791e781c2997073e9b14a3816e15f40362a114b945f8f0780b99f057e2eb02d7f8aa7ae19c5c1528f24822312922239dccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKx0wbMGUMHc.bat

Filesize
198B

MD5
36bbd682728b7f7921f12d8fddc0e74c

SHA1
d50323e963147660715551d2b9dc21c72c2c89a4

SHA256
84b423f79374e7f335c0762de5e164ebd45288f1d457aec57ae3ac7c777d1185

SHA512
ddab519ab9786254febd992d362e80fdc08695bd30b9536669a57a572081fadd58731024517da4520e68d57d2f68f7ef8250180aa9fc8fb2ec669a1a21f950df

Download Submit
C:\Users\Admin\AppData\Local\Temp\fBB32Pg0Z84v.bat

Filesize
198B

MD5
edc94e0d514968558320b9c9840f5e45

SHA1
e61f22bbba0357f10e5daa56c92f144fc61da0e4

SHA256
7c04265939c07e9d13f089ac14509c09171314047b6563bc75105d0100cad7e3

SHA512
a41304c7151e79d02a8c1c9ae99901a7d59d5cf1aa5c00dc33be1e878f9a72df5bda2cd93379b7a0095854e95c9459117b4371d917595d3a0efd6eac00d473fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwljJIdUgH6T.bat

Filesize
198B

MD5
c047ba69ec20d090a7241cbffb736288

SHA1
3d66a92c857b072001fd9b52de8bbef543946734

SHA256
e4cb6896df792e006935198102e2acb72c24890376fa508741b420f3c0b2dd8f

SHA512
aaece1e324aa1a349a3ee02edb40b196d10b9810e63be7bd9f9b943823932bfd954a3d08c3b8f797a25e92eee7bfe56d4f728a5df9df589b5deb26492ad04f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\piRZFSKcQyEN.bat

Filesize
198B

MD5
641caa995ec0862aaf344d4f2fa35e14

SHA1
4fabea46c546a5368eb9cb06c1cc687c1c15e892

SHA256
2658c970b93368fe94d830c44c2f0ffd681a04348085b877ab48f6f45be6f60b

SHA512
6defe11af140070397ee6474417180a14cb7b7ea3b0f6af920bcb46e5d412fc831d22f97e09894122a52ae79c7d4f5008fea8753d46f8837b8b90124460f120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tV4H3sHhDHxX.bat

Filesize
198B

MD5
7a2a4e69275e7c2b5f694bfe36445951

SHA1
11930b4e31143fa63ae9ec83e16df7a574e2c7f4

SHA256
512de8830e8dd7e0d2dbd1a69df2771ae433a9ffe4b4df5f1e7a635e28cb5408

SHA512
0fa7cf8bccd9aefe59d398d6e54606de2b5a0d5f8aaec227d075dc7545b7056a7495ff9423b082afa377da08345176402b110725bc758306f3248d8f7ae4ed63

Download Submit
C:\Users\Admin\AppData\Local\Temp\wXyBVuBeMdlo.bat

Filesize
198B

MD5
d386214567c8f50dd45e5c76358ac0b6

SHA1
b9e7f14ebc45f08895a2c656e19b32f850fdddc5

SHA256
957da6e1bac809164e95af5b30ccc4bc005310b838dc4649ce80b4208a2bad9f

SHA512
fece4e9768d7090ffa2f611a90e296de368d98358b5ad4352c7fd546b17acee185e0a7e7b1311e88fda44acafa6d0896c12e99bef87a36b061fcb87266ed4fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaCvFTELvnJ7.bat

Filesize
198B

MD5
51ca944524ef1643a8c64819a5a7b384

SHA1
3b9db611af0ecb400e0449cc4429b3ee1a6acb4c

SHA256
877316f5c36190701e2652c3d80098b8a5af26fdac63e92b22eb6b2e525f8fcf

SHA512
5d4014dfd9796e7def19aa0a9f271b2b4bf2c5efa31a0e3442630531f69388049d157535258c876654c41b0a8ac11b6be33a9fccf2a0564c1987b65c4b9c996c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-02-2024

Filesize
224B

MD5
3fa2dcf4cad28f7ac969adb2cc6fc6a4

SHA1
6349e097b2a5c571e4c3f1ed69674c90223c064f

SHA256
da95c349b1188ee501735164abd5889a242559fbb3bcd1dd76078c5f20c4c5d8

SHA512
51988b795932058af4fb9db59d6b327231c617ad1e1c6f4f13f9da3d41740fa4e6ec3c2d89be34ca22a629b7f95de0d13beb56cd6ee2cb9297d00c5064f3503f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-02-2024

Filesize
224B

MD5
f1492808f3343a42038fe230f8bb92d1

SHA1
dfd86b16183b527ae3fcfaf6a027b7baccfa888e

SHA256
84ba40209d28670c91e6e6093185337e23ea5b92047805fdec6caaca091e0110

SHA512
d18e802ccdde140d9608cf6225d675ac8d78e6a2ae2620d67d7c7621a5cc81c65ab6600e3277e414aa67272f53e0bc3d5030ce873b6dde2fe8def3f655ad9842

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-02-2024

Filesize
224B

MD5
b77ae05910d5210f81f0ce8ca40f79de

SHA1
e51a4fd3f1daca3994adfd269680e4aaa426a844

SHA256
17257f46c1f2e6f9bf1e469db9e5dccc2a3e407a2d099af585a4f168409b4ce9

SHA512
7411a5654efc4638c475c4af27bada74f42eea64d58f09b72a284d6969756565e3f42fded2dc9f8f2a08a67a0b2fc533ce75ba2cc2901acc04dc48b24e2bee6d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-02-2024

Filesize
224B

MD5
aebfb2cfa98cd59f9327a35bd4d4a9b7

SHA1
c262ff1e4a15eb280e6fc30fa62fecf540e7db2b

SHA256
4ce178e8b7e74a2eedc8c93d55a01eade71a97a127146ba3b9f38c57755a0da8

SHA512
03f830c4a63ed242cb0c8e38dfcaefe985d726a29cef00f73375f584c63004135ddcaaa50341ce1888992a92b01ac6effbc53b2f1d79afa444901c642fe7b831

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-02-2024

Filesize
224B

MD5
12a7f3ffd6d151d629fb2455c9b6e102

SHA1
b9939d856a28bec85aa1ad45b31afe5a26bd9718

SHA256
fb9ff868e8cbaf45ffd3c2b88be04f0e14db0a5b0f71f0d8dd7c8aa530763aed

SHA512
0cd2dcee36b6cd79b3ae621af65bd81b0cfbe2c921da381a43de8e7037ef52e6117871289d07d23e1952d39e68d05436b85a240bc58d2e0da25c836aaef859c5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-02-2024

Filesize
224B

MD5
f42b80a5ea6956bb6780f3803575394f

SHA1
7c1da7307aff24ef5099bbceb79598909328b4d2

SHA256
66d2487feff3adb63d8d9adfd227be39ab5c5f1ee94990e2286e952c09447966

SHA512
3b4d8045d119a7bbc2d2ea6607e03f2580d63f463632f887bf5f1294c32d5bfca6d0693dec9639c7d3cc39c9c8afac940af06a7a6702144040b5f820eb0b2805

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-02-2024

Filesize
224B

MD5
492344328dad07f414c9d34e59f4d0a4

SHA1
4f0a0af78da457e3261c09fe659d5a258a512af7

SHA256
9b43bc3f8103f2e9fd09ba3674e1e78ed83f0aebbb9df408bdd1397e5519de45

SHA512
dec5267d6ffc00201046c0ee0468707f105442655bf5a7e1f3b66a8dd2684abe060a9fcecebddd50da9a44a3ee657606c79bd7d6cd0acf47c9a5ad361a0d8c28

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-02-2024

Filesize
224B

MD5
b08f830c7f71208b63ea9652cbc11577

SHA1
afe9df82d0351c28f9a793dd505ba081db10f6e7

SHA256
6b1b76caa632bf4788d4f5af71673b7f2449cb63b700c3be8fef0241d4b4ccf2

SHA512
f895f87a623a0fb24b84d4117f54e10dd4249ff6726b18b5e1edcab9fc8eba0c41c0017cef4a35a4da9ed36120695db19fd44d237e95b3ee76af9c5e1b74f8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-02-2024

Filesize
224B

MD5
b8919ad37a729d9cd49fe1c2e61cf3b1

SHA1
31c297a6b61a3fb1970624b5fd8e44f85e36c31d

SHA256
ea8e37a0eecd1c7dd175fac8f1821eacb5305947e01b5c4ee2b21662f4a833b7

SHA512
dc85fbcc404e4a47b1a58d05462aa10d45430e37764c1f4fba52f3e965d7328d7949555c8fe5b5a301c535547c37681fe3de66abd38cf065a2b73e9ece673832

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-02-2024

Filesize
224B

MD5
38e5846b5e53cf22dacdece1990e751e

SHA1
6b1d7d9d8f80886f4be88b9121d15de6e58a79d7

SHA256
94503353401136f91c3a1de2919e228bdd51c4b47ed2a4b3a9e3ce8e790ad205

SHA512
a947be81e94841248de9ce44fda8bda93a6428b66c23c9b7afc7d07a66a834a10f8f176e5f6b075231073fa3b031f907c90f6ce130a75031536a25f5ed8070a4

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-02-2024

Filesize
224B

MD5
18a62e9c589ece36fc77d06fb53c0255

SHA1
5df60edc36946b51b81445fd38b9b491537f6ba5

SHA256
bea3ea53a28d607be40ec5c665f210ce790f5ef9ce15869eb1b625ffddbe926e

SHA512
8070cddf4c6367af12e988f6b366d4032c595959cdb0b74f1d43b3f335e8e43de33a30a3788bdfd5420591b17bbbac676ec4008ead7ebcd21398fa7b1221b8a9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-02-2024

Filesize
224B

MD5
2c3e291dc2f14ec1b2660fa16ae9a031

SHA1
d6972042aad504abdc3f3034e94bb2a5ddcb7f02

SHA256
f993a965ba5c2d7d7dc518d4080fe37f99856187204168b145b9f29a556e3acf

SHA512
528d16054895d4e7240b85532ad0f14cbe8404764faa03423870ed116cbc07b7b4e787a477ab26afa541bb4b3414016ef48adcb175be7f9f915d5f225b34c74a

Download Submit
C:\Windows\SysWOW64\svchost\svchost.exe

Filesize
718KB

MD5
8c48c8c45d7f3bdd3c888a1c75fa9b27

SHA1
1d212ea492feb0c4695745d51ac0ac2e9fb7b2b5

SHA256
9aab35f222f2953738e83432940f14af4e12e72a741f80fa5dec7d0197ed6e7a

SHA512
f2a4a77bdb4a3ce39eda27121dfe01f71f91cd3d89b52098c71140fa89b3b89259a9c5e3323953ac332d42af2df1ef0eebe9801a25749b4965bf635c1a841deb

Download Submit
memory/2016-83-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2204-241-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2676-203-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2732-43-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2732-57-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2732-56-0x0000000000E20000-0x0000000000E7E000-memory.dmp

Filesize
376KB

Download
memory/2732-60-0x00000000069E0000-0x00000000069EA000-memory.dmp

Filesize
40KB

Download
memory/2924-125-0x0000000000E20000-0x0000000000E7E000-memory.dmp

Filesize
376KB

Download
memory/2924-127-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2924-146-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2948-171-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2948-159-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3040-320-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3252-164-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3656-275-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3980-98-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4032-408-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4032-389-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4236-9-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4236-5-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/4236-0-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/4352-177-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4424-180-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4424-197-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4436-100-0x0000000000D50000-0x0000000000DAE000-memory.dmp

Filesize
376KB

Download
memory/4436-111-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4464-292-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4464-302-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4628-85-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4628-84-0x0000000000D50000-0x0000000000DAE000-memory.dmp

Filesize
376KB

Download
memory/4652-126-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4652-36-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4652-37-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4864-381-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4864-372-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4940-346-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5012-205-0x0000000000F50000-0x0000000000FAE000-memory.dmp

Filesize
376KB

Download
memory/5012-222-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5064-7-0x0000000000900000-0x000000000095E000-memory.dmp

Filesize
376KB

Download
memory/5064-34-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5064-10-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5064-25-0x0000000005270000-0x00000000052D6000-memory.dmp

Filesize
408KB

Download
memory/5064-4-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5064-27-0x0000000005F80000-0x0000000005FBC000-memory.dmp

Filesize
240KB

Download
memory/5064-24-0x0000000004BA0000-0x0000000004C32000-memory.dmp

Filesize
584KB

Download
memory/5064-6-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5064-3-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5064-26-0x0000000005920000-0x0000000005932000-memory.dmp

Filesize
72KB

Download
memory/5064-23-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5064-22-0x0000000004CC0000-0x0000000005264000-memory.dmp

Filesize
5.6MB

Download
memory/5064-1-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5064-8-0x0000000000900000-0x000000000095E000-memory.dmp

Filesize
376KB

Download