quasar | b42d3f4823819c1b7119774c52f89e62bfb6fec506e3530e681cf0ce0bc5557d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95823524c56268909001597a81a398d5_JaffaCakes118.exe
Size

531KB
MD5

95823524c56268909001597a81a398d5
SHA1

f732527a57d11a9dd57b4b093144c60ffa38a173
SHA256

b42d3f4823819c1b7119774c52f89e62bfb6fec506e3530e681cf0ce0bc5557d
SHA512

75cf3848026d3d1589115471b3bacd96a378c36cc6991c51f292590998a2ed4df58fe0a0139cb34d1d9722a18c5f14af52f7412f57c67275f73062da1747449f
SSDEEP

6144:stlrXYao3Rvn9dYQ0kQiwwVoab4UYJI+OWjE:OpXvQ0kQF96Y6+xg

Score

10^/10

quasar usr spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

USR

pv8stresser.xyz:45201

Mutex

yzyrfG0e0ojtGuJLLm

Attributes

encryption_key
0PxbjHekumnMpxMDOLOWYxcgvcGzNRtp
install_name
Client.exe
log_directory
Mozilla
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5112-1-0x0000000000760000-0x00000000007EC000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

95823524c56268909001597a81a398d5_JaffaCakes118.exe95823524c56268909001597a81a398d5_JaffaCakes118.exe95823524c56268909001597a81a398d5_JaffaCakes118.exe95823524c56268909001597a81a398d5_JaffaCakes118.exe95823524c56268909001597a81a398d5_JaffaCakes118.exe95823524c56268909001597a81a398d5_JaffaCakes118.exe95823524c56268909001597a81a398d5_JaffaCakes118.exe95823524c56268909001597a81a398d5_JaffaCakes118.exe95823524c56268909001597a81a398d5_JaffaCakes118.exe95823524c56268909001597a81a398d5_JaffaCakes118.exe95823524c56268909001597a81a398d5_JaffaCakes118.exe95823524c56268909001597a81a398d5_JaffaCakes118.exe95823524c56268909001597a81a398d5_JaffaCakes118.exe95823524c56268909001597a81a398d5_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95823524c56268909001597a81a398d5_JaffaCakes118.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
63 ip-api.com
93 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
13	ip-api.com
63	ip-api.com
93	ip-api.com

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2848	5112	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
2412	4084	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
4384	3164	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
1932	1072	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
3120	4876	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
2644	1388	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
1496	4236	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
5112	4444	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
336	1616	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
692	1992	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
872	2440	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
5024	2552	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
3908	3716	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
4124	4676	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2720	PING.EXE
4504	PING.EXE
3376	PING.EXE
4832	PING.EXE
2384	PING.EXE
3588	PING.EXE
2812	PING.EXE
1984	PING.EXE
4488	PING.EXE
1604	PING.EXE
1476	PING.EXE
464	PING.EXE
2528	PING.EXE
3708	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	5112	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Token: SeDebugPrivilege	4084	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Token: SeDebugPrivilege	3164	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Token: SeDebugPrivilege	1072	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Token: SeDebugPrivilege	4876	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Token: SeDebugPrivilege	1388	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Token: SeDebugPrivilege	4236	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Token: SeDebugPrivilege	4444	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Token: SeDebugPrivilege	1616	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Token: SeDebugPrivilege	1992	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Token: SeDebugPrivilege	2440	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Token: SeDebugPrivilege	2552	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Token: SeDebugPrivilege	3716	95823524c56268909001597a81a398d5_JaffaCakes118.exe
Token: SeDebugPrivilege	4676	95823524c56268909001597a81a398d5_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

pid	process
5112	95823524c56268909001597a81a398d5_JaffaCakes118.exe
1388	95823524c56268909001597a81a398d5_JaffaCakes118.exe
4236	95823524c56268909001597a81a398d5_JaffaCakes118.exe
4444	95823524c56268909001597a81a398d5_JaffaCakes118.exe
1616	95823524c56268909001597a81a398d5_JaffaCakes118.exe
2440	95823524c56268909001597a81a398d5_JaffaCakes118.exe
2552	95823524c56268909001597a81a398d5_JaffaCakes118.exe
3716	95823524c56268909001597a81a398d5_JaffaCakes118.exe
4676	95823524c56268909001597a81a398d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

95823524c56268909001597a81a398d5_JaffaCakes118.execmd.exe95823524c56268909001597a81a398d5_JaffaCakes118.execmd.exe95823524c56268909001597a81a398d5_JaffaCakes118.execmd.exe95823524c56268909001597a81a398d5_JaffaCakes118.execmd.exe95823524c56268909001597a81a398d5_JaffaCakes118.execmd.exe95823524c56268909001597a81a398d5_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 5112 wrote to memory of 4876	5112	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 5112 wrote to memory of 4876	5112	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 5112 wrote to memory of 4876	5112	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 4876 wrote to memory of 4668	4876	cmd.exe	chcp.com
PID 4876 wrote to memory of 4668	4876	cmd.exe	chcp.com
PID 4876 wrote to memory of 4668	4876	cmd.exe	chcp.com
PID 4876 wrote to memory of 4488	4876	cmd.exe	PING.EXE
PID 4876 wrote to memory of 4488	4876	cmd.exe	PING.EXE
PID 4876 wrote to memory of 4488	4876	cmd.exe	PING.EXE
PID 4876 wrote to memory of 4084	4876	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 4876 wrote to memory of 4084	4876	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 4876 wrote to memory of 4084	4876	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 4084 wrote to memory of 3732	4084	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 4084 wrote to memory of 3732	4084	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 4084 wrote to memory of 3732	4084	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 3732 wrote to memory of 4516	3732	cmd.exe	chcp.com
PID 3732 wrote to memory of 4516	3732	cmd.exe	chcp.com
PID 3732 wrote to memory of 4516	3732	cmd.exe	chcp.com
PID 3732 wrote to memory of 1604	3732	cmd.exe	PING.EXE
PID 3732 wrote to memory of 1604	3732	cmd.exe	PING.EXE
PID 3732 wrote to memory of 1604	3732	cmd.exe	PING.EXE
PID 3732 wrote to memory of 3164	3732	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 3732 wrote to memory of 3164	3732	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 3732 wrote to memory of 3164	3732	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 3164 wrote to memory of 4504	3164	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 3164 wrote to memory of 4504	3164	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 3164 wrote to memory of 4504	3164	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 4504 wrote to memory of 4696	4504	cmd.exe	chcp.com
PID 4504 wrote to memory of 4696	4504	cmd.exe	chcp.com
PID 4504 wrote to memory of 4696	4504	cmd.exe	chcp.com
PID 4504 wrote to memory of 1476	4504	cmd.exe	PING.EXE
PID 4504 wrote to memory of 1476	4504	cmd.exe	PING.EXE
PID 4504 wrote to memory of 1476	4504	cmd.exe	PING.EXE
PID 4504 wrote to memory of 1072	4504	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 4504 wrote to memory of 1072	4504	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 4504 wrote to memory of 1072	4504	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 1072 wrote to memory of 4040	1072	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 1072 wrote to memory of 4040	1072	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 1072 wrote to memory of 4040	1072	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 4040 wrote to memory of 5024	4040	cmd.exe	chcp.com
PID 4040 wrote to memory of 5024	4040	cmd.exe	chcp.com
PID 4040 wrote to memory of 5024	4040	cmd.exe	chcp.com
PID 4040 wrote to memory of 3376	4040	cmd.exe	PING.EXE
PID 4040 wrote to memory of 3376	4040	cmd.exe	PING.EXE
PID 4040 wrote to memory of 3376	4040	cmd.exe	PING.EXE
PID 4040 wrote to memory of 4876	4040	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 4040 wrote to memory of 4876	4040	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 4040 wrote to memory of 4876	4040	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 4876 wrote to memory of 3720	4876	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 4876 wrote to memory of 3720	4876	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 4876 wrote to memory of 3720	4876	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 3720 wrote to memory of 4760	3720	cmd.exe	chcp.com
PID 3720 wrote to memory of 4760	3720	cmd.exe	chcp.com
PID 3720 wrote to memory of 4760	3720	cmd.exe	chcp.com
PID 3720 wrote to memory of 4832	3720	cmd.exe	PING.EXE
PID 3720 wrote to memory of 4832	3720	cmd.exe	PING.EXE
PID 3720 wrote to memory of 4832	3720	cmd.exe	PING.EXE
PID 3720 wrote to memory of 1388	3720	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 3720 wrote to memory of 1388	3720	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 3720 wrote to memory of 1388	3720	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 1388 wrote to memory of 544	1388	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 1388 wrote to memory of 544	1388	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 1388 wrote to memory of 544	1388	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 544 wrote to memory of 2060	544	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1vM7fiBdmGU1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:4668

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:4488

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Aht7wJyBisSg.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:4516

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:1604

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4DfslGQg1bTi.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:4696

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:1476

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmmrXwozr5xP.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\chcp.com
chcp 65001
9⤵
PID:5024

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:3376

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lXQTLMNlmfUX.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\chcp.com
chcp 65001
11⤵
PID:4760

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:4832

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKSTfPpikWF2.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\chcp.com
chcp 65001
13⤵
PID:2060

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:2720

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgMMtWNXt8ey.bat" "
14⤵
PID:2128

C:\Windows\SysWOW64\chcp.com
chcp 65001
15⤵
PID:4240

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:464

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
15⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyK3i1g0VPuX.bat" "
16⤵
PID:1672

C:\Windows\SysWOW64\chcp.com
chcp 65001
17⤵
PID:872

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
17⤵
- Runs ping.exe
PID:2384

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
17⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMI23iLGbB9G.bat" "
18⤵
PID:4516

C:\Windows\SysWOW64\chcp.com
chcp 65001
19⤵
PID:4876

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
19⤵
- Runs ping.exe
PID:3588

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
19⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19qgID9dTwn1.bat" "
20⤵
PID:2604

C:\Windows\SysWOW64\chcp.com
chcp 65001
21⤵
PID:848

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
21⤵
- Runs ping.exe
PID:2528

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
21⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZvQaVMFCQ4kv.bat" "
22⤵
PID:3308

C:\Windows\SysWOW64\chcp.com
chcp 65001
23⤵
PID:5112

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
23⤵
- Runs ping.exe
PID:4504

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
23⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3puPPIQTfdhj.bat" "
24⤵
PID:4496

C:\Windows\SysWOW64\chcp.com
chcp 65001
25⤵
PID:3316

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
25⤵
- Runs ping.exe
PID:3708

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
25⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uBYKybwzNr8u.bat" "
26⤵
PID:4696

C:\Windows\SysWOW64\chcp.com
chcp 65001
27⤵
PID:4148

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
27⤵
- Runs ping.exe
PID:1984

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
27⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a0YUakf2pDVv.bat" "
28⤵
PID:3588

C:\Windows\SysWOW64\chcp.com
chcp 65001
29⤵
PID:2868

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
29⤵
- Runs ping.exe
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 2264
28⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 2220
26⤵
- Program crash
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 2260
24⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 2260
22⤵
- Program crash
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 2240
20⤵
- Program crash
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 2260
18⤵
- Program crash
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2244
16⤵
- Program crash
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 2284
14⤵
- Program crash
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 2324
12⤵
- Program crash
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 2224
10⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 2260
8⤵
- Program crash
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 2240
6⤵
- Program crash
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 2224
4⤵
- Program crash
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 2356
2⤵
- Program crash
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5112 -ip 5112
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4084 -ip 4084
1⤵
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3164 -ip 3164
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1072 -ip 1072
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4876 -ip 4876
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1388 -ip 1388
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4236 -ip 4236
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4444 -ip 4444
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1616 -ip 1616
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1992 -ip 1992
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2440 -ip 2440
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2552 -ip 2552
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3716 -ip 3716
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4676 -ip 4676
1⤵
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19qgID9dTwn1.bat
Filesize
243B

MD5
d1a7add6bc4ae74d8dbe0850ed07d493

SHA1
6eda1264b86332b8975be38b246ae22c3ff1ef5b

SHA256
ea0ff11b3d16312b79b4941606ad39136df3bb70f505fcc0518e618ac708bd82

SHA512
4b9ffbaad4c6418e3205637c8462e9f3edf31cba2028f77d761678ae80a1876cc0b61e51a2a455f8774974f0bf30f8e19ae6998cccf46ecf223427df8612bd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vM7fiBdmGU1.bat
Filesize
243B

MD5
f1e1b530bb25ee9198c4de4d948bfb11

SHA1
ac6e27eb698703cc10289de2e358d7b47a4c81a9

SHA256
8dcc4aeeb5469e32ea280969d0e0b60e41a4aacb9beef5cbe45833e59af5b621

SHA512
2e1ba996f45b0cdc93b475c3fbaad05e600be0efdbb5a540cbad970350f5ebd6220d8e2bfed3195b10a7fafa9ccbde5e4510de796d0a5ad6e729a3c46e31dee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3puPPIQTfdhj.bat
Filesize
243B

MD5
fe99bc959240f94e2b1447011d811a82

SHA1
66fe28f8ace401246a1ab8e860919e67604d9c09

SHA256
c0623e2d445df4a4ccca182c7b8f6579fa9dd50fa581f3a64b2b4e551bc250ea

SHA512
7549a5f6d15b0a57d812b4d0f776dd5edc234f6a60f5aeb0912097a0fd1ae25771b3802bf1ca0cccf855c02808d7039b2eb5ed1d9a8428b4d69ccd2f09c96bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DfslGQg1bTi.bat
Filesize
243B

MD5
3e54fbb7a05cab59033f6392875134df

SHA1
6596673f43d17b8725d4c96c05d7be2ae375d76d

SHA256
1ffb4919a2ad4071e45df572393d4625dff18ddd78c22c0bf157dfff9949ad82

SHA512
36b6113682ac4e618b1e649021c35debb610d3688c25156feafc6743774f3f99ebcda2e81a3ccb137bea4e1bb24ca06611f65c0daef91fdb0faea93c8e5fcf05

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgMMtWNXt8ey.bat
Filesize
243B

MD5
703bc24683d2fe6254ad34e9c6036f01

SHA1
b1e963f3e75db1140b76ac8f14c73ee1056cb63a

SHA256
1217300bf7b68ad6bce4f7957c176c93c93f0edb488b3176f0decea46c7e0599

SHA512
f468a29eeb79a672b0dfc829c6ac93cfd9ca100058a39b711cac0252596a7555b3882f772d93d6749dfb1fb9d95c5cc4d1d73074749a401980e1aa5999103877

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aht7wJyBisSg.bat
Filesize
243B

MD5
e79d6d33163f2ff2ea16283967f0bf9f

SHA1
e0c2044e872364cceadc0b74e9b0dc9a949f89b5

SHA256
718fd5e384b71d2c64d803ee87c5ecdbc993eebd557513ca8233bea4e43a3e8c

SHA512
798ac0efc934499b43bda358e082efc7c1d9916416c1e053454d12ddb72dbbb2f56c4b0b7bb13bd7983da58fab8802b1ceac1f0433689eecdf49c06a824266c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZvQaVMFCQ4kv.bat
Filesize
243B

MD5
0ccf67b8c0c2ffea9576e60414f42201

SHA1
3451c06acae2675c92f015e5cb53870bab5e2658

SHA256
af0a87f131e981f0ade7968e7728c01fb4e407c849cd5cd605013fe0e9d9cb33

SHA512
4b2c8634f6c45f2554ad5fc8517fed8f8cb39b4440ac9ded4bccdad919f0298e206805fb0a078fb88f2879099acd533208d7a3f1eadd08453e670ecf5b4b5b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0YUakf2pDVv.bat
Filesize
243B

MD5
88b7c70821ef0e3201066b247f3e9526

SHA1
b866c119afb6af4ffa499c7bb8c9c4bc5264c82c

SHA256
41910525ca0e43b326d307601c8ca632ab7a9e7146f92168141669949d50c798

SHA512
fad124996c438fb067481a6e8044477e4026e36134f05634a1a2e47e56751fe0e149b4925dc4d277e589be6d8de9728992123bf5c9e08a36eab789642c41a6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKSTfPpikWF2.bat
Filesize
243B

MD5
7a6e2a23abded91012710a9d63fd4458

SHA1
150d00630ed432609a88013b4cf4a935efcc6b20

SHA256
112aec00bd11f74df465b7264368c9ca2d6facc01ae53eb6bc8d5a5bd4f50827

SHA512
c124a78121d7e6df4d2fb920ccf28be6f5964b1cfd9db878173b0b512eda4a9db8ff2317ce121fa6058195798150ce92f63b7c654f5b17f077949805ebcd5920

Download Submit
C:\Users\Admin\AppData\Local\Temp\lXQTLMNlmfUX.bat
Filesize
243B

MD5
12c522f4e004a00fe606f83f87e14a88

SHA1
a8fb6071981b810dd742fd491c4b75967895250a

SHA256
4527b11981889e8804271f2099dc393021e0b71c6b843e0194dcaa04b1c695af

SHA512
25403b70673a47c495f8e3da6fcf57e1ffafaa410d861caf86abb4763681f3527966edc331adebe7949a0639a13020324613d1d74fdf3a45a6f0e2366d5f3cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMI23iLGbB9G.bat
Filesize
243B

MD5
09e9ac9459497d9297189b9ab2e6e2c4

SHA1
73c7e0c7f2e6ad3a3370a3362563f15d3ed4db83

SHA256
5807c6903750e904ec829cae6405e12d96d6e4e2d8bbd26ff076627b5cabf1b5

SHA512
045b264ee420e69a5a17063c4edd2ee341b009ab26ee156895a340bde4502ea70721b3770f54af4f2a4c225386e88efe15ea750c5146f57862e2146c8f84e8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uBYKybwzNr8u.bat
Filesize
243B

MD5
4b636c3dd889a481d575b3b2a3b5449f

SHA1
5fdcfcc43f8ca33bd69c725b47de84c3bec30825

SHA256
63ff0e97d021490f952940778a35acb8517cc8b2a550a69deee3b9a863965ed1

SHA512
f8fac6117a201bbde6d06ba351eedbd057aceaaa13d75e7c68231a1aa8ac89e87cc92bb81cc69dceba54dfe446fd0a549361c36b2516df82febadfb790356027

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmmrXwozr5xP.bat
Filesize
243B

MD5
9b219822af021d66f054b4b9a5e0fdd2

SHA1
a96c71ef09130155c561c425263af1be7fc7fd89

SHA256
26c7f758463bd66d243f4618be53e7fd688c284fb1a90a1ffe4282e61adf9de1

SHA512
8111bce841f6475052bafa7b8a6382856dddc4b927fd41699f3d6bd769d64f544e5594894833359d14ca44291347f4fd861e2a45a530cf13867e4f7d422353af

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyK3i1g0VPuX.bat
Filesize
243B

MD5
b8efc464b4ebd92672679e6996f52837

SHA1
20fc54bb1a9a5f72a5471de3e3950b3bcfed70ce

SHA256
06f57588dc3e26de7d39e97ce70f2d83e20599eb206a1e389c9042556c9ca3eb

SHA512
c0f1ed625abda67705e747089ab3da9f0859fd2aad0e4d4e2af466920f811bdcfe6ff3102b46ad60910d3a407c744ff55713f53f35bf9cb7c8cf5c4d8aa7966d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\06-04-2024
Filesize
224B

MD5
94f3cf709268ab0d9099668626cecb17

SHA1
933c0db29d639a887a36ec06db5421f481e46a8c

SHA256
50ba7da38ee667febdeb38fdd7b97de5ce74699e0f0d0e9f2f50441b6957d800

SHA512
d36296d63c44f8c903d9f4f84c990ed37ab7b7f3b973b2a91ab187f295061e9515ab5a866c3cb41e6c374cd1282bd78d515e79e7f15bdc53e5dbc0131a3c915d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\06-04-2024
Filesize
224B

MD5
198ff9432ad42dde1189bd8a556d84a0

SHA1
1eba0667f6613862b0bfa5b45035b969787d2396

SHA256
348687210b550081a76493066c60bfe9cfa64ecbf6f75109b87e289bd6978e58

SHA512
aac1ccd186bc5867f85206c767bde51d97f028fb6d504b2f8dc29a26c9230241f9d77b55840034e14322430c6decbf4c7d53de76a89efa36c6e2da608f84e8b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\06-04-2024
Filesize
224B

MD5
3ee97ca091ee859455a60629199ad5f5

SHA1
3a63817b2aeff5d1a77d738fa923225f4903ecba

SHA256
72755a9ce54adbb7e992f407d43e6dd091130ad26cc65e99846768b5ae7a272f

SHA512
f5465079366e053c8df709d98f2e1dd03c4f3f4c9828de5f5052126bf991e0caac918be484124428b96589da16924750ce519833bb90e1f6234702739c5d977e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\06-04-2024
Filesize
224B

MD5
25b974d436293c531e64918b257f40bb

SHA1
cd6be4b1a37a0dee11462c839b04c1cae8adc54b

SHA256
c9a238b298ef187ed06eb5c7e5aa499d847f8dc33ccc8237e1914e156056bffc

SHA512
52ca51a2f556b087e9debf7c1efdaf9e3f4e0a990421da6783c26f362af585ad127f36eec8b6864b75b412e4b0837a8e3b84301119db3ac91719b0598ac267c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\06-04-2024
Filesize
224B

MD5
5a9f76b6ff147f09ee382222aaa8f74d

SHA1
6e1c1fdb50eb47c8edc4177044106aa9a0f061f4

SHA256
33286669459fb2ffeab0ef11da123b26e956ecc5f28a51ed75febe884732bef0

SHA512
3c7299507d70c0f1d386166f782f01eb52633d8d2de96e6042c54c98730689e4ee30ffb6b3721ce4ca29db60e2dce2c2ab894eb0c061644ea3798b13ebaeb551

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\06-04-2024
Filesize
224B

MD5
e9714086ba146926c003484a08034c4d

SHA1
7d14d81178f193581fe2546b4eb7b66757b87788

SHA256
dc7ca55e24fe8ef65c1c3fc77ee4c639b638d59736cc3d31952541e183bbed5e

SHA512
1515e8afd5e3f35f80708876f76eb5b355a781b5fdf9977fb86ed081670c42b4d7fc4db4b3114969d618bd1f7b0c85dae72eaadf10de2002e3a2f4a58e9849b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\06-04-2024
Filesize
224B

MD5
4b9c016f556a103084c5d8d4b721a55e

SHA1
4f762f8c8e8db4b7ac2d4218ae07de53b613f9b2

SHA256
e7d94e021064c3b4fa2d242bc0accf2758f9b8264b529968c4cfdbee5e11a138

SHA512
1832ca7e124a38ac3a55b408998d5843fd88971ae861ffca460c86ebfca962da48efd46ad41ea716b12002826ff8a7058c870cf49ccfe8503819fb799f3bbdf7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\06-04-2024
Filesize
224B

MD5
890e686836690f3d522c3f955662fc51

SHA1
250e44139babbf5b4e7dde1dd10ce88633bd81f7

SHA256
53477624ca2a3d556ddf3ff97b4fd646df9f20c5c8cf7c4b579fcc201eccf4c2

SHA512
7bba81631cc2125ec78c5bd31ac67575a5909751ce49674443e446606a865737c6f73054c582f002728dcee50f19f513babcb4dbceb096108b6ac4c88bcd310b

Download Submit
memory/4084-24-0x0000000074B90000-0x0000000074C3B000-memory.dmp

Filesize
684KB

Download
memory/4084-19-0x0000000074B90000-0x0000000074C3B000-memory.dmp

Filesize
684KB

Download
memory/5112-6-0x0000000006010000-0x0000000006022000-memory.dmp

Filesize
72KB

Download
memory/5112-4-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/5112-7-0x0000000006690000-0x00000000066CC000-memory.dmp

Filesize
240KB

Download
memory/5112-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/5112-10-0x0000000006A00000-0x0000000006A0A000-memory.dmp

Filesize
40KB

Download
memory/5112-5-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/5112-9-0x0000000006A20000-0x0000000006A70000-memory.dmp

Filesize
320KB

Download
memory/5112-8-0x0000000006F60000-0x0000000007578000-memory.dmp

Filesize
6.1MB

Download
memory/5112-11-0x0000000006E30000-0x0000000006E4A000-memory.dmp

Filesize
104KB

Download
memory/5112-3-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/5112-12-0x0000000007580000-0x0000000007632000-memory.dmp

Filesize
712KB

Download
memory/5112-2-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/5112-18-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/5112-1-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download