cybergate | 7ce728a04d8288a3bbd3d394993168f0f74e1238eaedf0d836a6a118a84329b5

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe
Size

684KB
MD5

5aa0854f2d4548b989704cac16645c99
SHA1

d42225920412b1a477817b8b2f132c75ddbc1b73
SHA256

7ce728a04d8288a3bbd3d394993168f0f74e1238eaedf0d836a6a118a84329b5
SHA512

38d1f45d65980f96e4d9fc02527423d52fd4b00a0cf69592baaf8529acaaa1e1150085a6cf83b1eeb9dbee1ecdc5fb53d48c339b014ea424ca19f88bd4b1ac3b
SSDEEP

12288:7DQKbCUVLJunGBpGztVLC9NCE6SUCbOxGSMQXu1tnux:QbGipbbhMQ+Pnux

Score

10^/10

cybergate nod32 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

Nod32

nod32system.bounceme.net:1003

Mutex

Nod_32System

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
Win32
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
PP0i8X
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RconScanner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Win32\\svchost.exe"	RconScanner.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RconScanner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Win32\\svchost.exe"	RconScanner.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{T6SJJBXO-20CM-03TD-5SDT-5KS1670P7T8F}	RconScanner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{T6SJJBXO-20CM-03TD-5SDT-5KS1670P7T8F}\StubPath = "C:\\Windows\\Win32\\svchost.exe Restart"	RconScanner.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{T6SJJBXO-20CM-03TD-5SDT-5KS1670P7T8F}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{T6SJJBXO-20CM-03TD-5SDT-5KS1670P7T8F}\StubPath = "C:\\Windows\\Win32\\svchost.exe"	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
2716	RconScanner.exe
2764	RconScanner.exe
5964	RconScanner.exe
4424	svchost.exe
4548	svchost.exe
4620	svchost.exe
6180	svchost.exe
4212	svchost.exe
4140	svchost.exe
9196	svchost.exe
7380	svchost.exe
7224	svchost.exe
3312	svchost.exe
3184	svchost.exe
2916	svchost.exe
9688	svchost.exe
9780	svchost.exe
9880	svchost.exe
14392	svchost.exe
14428	svchost.exe
14480	svchost.exe
14348	svchost.exe
14404	svchost.exe
14464	svchost.exe
12592	svchost.exe
12632	svchost.exe
12708	svchost.exe
13892	svchost.exe
13944	svchost.exe
14044	svchost.exe
17116	svchost.exe
17144	svchost.exe
17188	svchost.exe
17472	svchost.exe
17500	svchost.exe
17560	svchost.exe
14028	svchost.exe
17168	svchost.exe
17288	svchost.exe
15984	svchost.exe
15928	svchost.exe
15780	svchost.exe
12916	svchost.exe
12988	svchost.exe
11188	svchost.exe
21072	svchost.exe
21108	svchost.exe
21172	svchost.exe
17976	svchost.exe
18064	svchost.exe
18236	svchost.exe
27472	svchost.exe
27500	svchost.exe
27568	svchost.exe
26336	svchost.exe
26372	svchost.exe
26428	svchost.exe
26632	svchost.exe
26660	svchost.exe
26784	svchost.exe
28192	svchost.exe
28220	svchost.exe
28284	svchost.exe
23564	svchost.exe

Loads dropped DLL 64 IoCs

pid	Process
2676	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe
2676	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe
2676	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe
2676	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe
2676	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
1692	explorer.exe
1692	explorer.exe
6272	WerFault.exe
6272	WerFault.exe
6272	WerFault.exe
6272	WerFault.exe
6272	WerFault.exe
1692	explorer.exe
9144	WerFault.exe
9144	WerFault.exe
9144	WerFault.exe
9144	WerFault.exe
1692	explorer.exe
9144	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
1692	explorer.exe
1692	explorer.exe
9668	WerFault.exe
9668	WerFault.exe
9668	WerFault.exe
9668	WerFault.exe
9668	WerFault.exe
14352	WerFault.exe
14352	WerFault.exe
14352	WerFault.exe
14352	WerFault.exe
14352	WerFault.exe
1692	explorer.exe
1356	WerFault.exe
1356	WerFault.exe
1356	WerFault.exe
1356	WerFault.exe
1356	WerFault.exe
1692	explorer.exe
12544	WerFault.exe
12544	WerFault.exe
12544	WerFault.exe
12544	WerFault.exe
12544	WerFault.exe
1692	explorer.exe
13796	WerFault.exe
13796	WerFault.exe
13796	WerFault.exe
13796	WerFault.exe
13796	WerFault.exe
1692	explorer.exe
17080	WerFault.exe
17080	WerFault.exe
17080	WerFault.exe
17080	WerFault.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2764-83-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/2764-87-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/2764-88-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/2764-90-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/2764-89-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/4548-8713-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/1692-11213-0x0000000008A30000-0x0000000008A42000-memory.dmp	upx
behavioral1/memory/2764-11212-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/7380-14251-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/3184-16758-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/4548-16779-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/4212-19363-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/1692-21844-0x0000000008A30000-0x0000000008A42000-memory.dmp	upx
behavioral1/memory/14428-21845-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/7380-21864-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/14404-24340-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/3184-24381-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/9780-26879-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/13944-29335-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/14428-29379-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/17144-31836-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/14404-31858-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/17500-34339-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/12632-34360-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/17168-36834-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/13944-36857-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/15928-39336-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/17144-39357-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/12988-41836-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/17500-41856-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/17168-44357-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/18064-46835-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/15928-46858-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/27500-49341-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/12988-49362-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/26372-51840-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/21108-51864-0x0000000000400000-0x00000000004D2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Win32\\svchost.exe"	RconScanner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Win32\\svchost.exe"	RconScanner.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RconScanner.exe	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RconScanner.exe	RconScanner.exe

Suspicious use of SetThreadContext 29 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 2764	2716	RconScanner.exe	31
PID 4424 set thread context of 4548	4424	svchost.exe	37
PID 6180 set thread context of 4212	6180	svchost.exe	41
PID 9196 set thread context of 7380	9196	svchost.exe	45
PID 3312 set thread context of 3184	3312	svchost.exe	49
PID 9688 set thread context of 9780	9688	svchost.exe	53
PID 14392 set thread context of 14428	14392	svchost.exe	57
PID 14348 set thread context of 14404	14348	svchost.exe	61
PID 12592 set thread context of 12632	12592	svchost.exe	65
PID 13892 set thread context of 13944	13892	svchost.exe	69
PID 17116 set thread context of 17144	17116	svchost.exe	73
PID 17472 set thread context of 17500	17472	svchost.exe	77
PID 14028 set thread context of 17168	14028	svchost.exe	81
PID 15984 set thread context of 15928	15984	svchost.exe	85
PID 12916 set thread context of 12988	12916	svchost.exe	89
PID 21072 set thread context of 21108	21072	svchost.exe	93
PID 17976 set thread context of 18064	17976	svchost.exe	97
PID 27472 set thread context of 27500	27472	svchost.exe	101
PID 26336 set thread context of 26372	26336	svchost.exe	105
PID 26632 set thread context of 26660	26632	svchost.exe	109
PID 28192 set thread context of 28220	28192	svchost.exe	113
PID 23564 set thread context of 23636	23564	svchost.exe	117
PID 28240 set thread context of 28296	28240	svchost.exe	121
PID 27792 set thread context of 27928	27792	svchost.exe	125
PID 30432 set thread context of 30468	30432	svchost.exe	129
PID 35492 set thread context of 35516	35492	svchost.exe	133
PID 32744 set thread context of 28724	32744	svchost.exe	137
PID 35564 set thread context of 35612	35564	svchost.exe	141
PID 34980 set thread context of 35052	34980	svchost.exe	145

Drops file in Windows directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	RconScanner.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File created	C:\Windows\Win32\svchost.exe	RconScanner.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Win32\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 28 IoCs

pid	pid_target	Process	procid_target
4372	5964	WerFault.exe	34
6272	4620	WerFault.exe	38
9144	4140	WerFault.exe	42
3460	7224	WerFault.exe	46
9668	2916	WerFault.exe	50
14352	9880	WerFault.exe	54
1356	14480	WerFault.exe	58
12544	14464	WerFault.exe	62
13796	12708	WerFault.exe	66
17080	14044	WerFault.exe	70
17436	17188	WerFault.exe	74
17024	17560	WerFault.exe	78
19432	17288	WerFault.exe	82
16304	15780	WerFault.exe	86
21016	11188	WerFault.exe	90
17884	21172	WerFault.exe	94
27436	18236	WerFault.exe	98
26300	27568	WerFault.exe	102
22924	26428	WerFault.exe	106
28164	26784	WerFault.exe	110
19332	28284	WerFault.exe	114
28152	23804	WerFault.exe	118
27724	28456	WerFault.exe	122
30392	28076	WerFault.exe	126
35452	30556	WerFault.exe	130
34784	35588	WerFault.exe	134
35492	29752	WerFault.exe	138
34948	35716	WerFault.exe	142

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	RconScanner.exe
2764	RconScanner.exe
4548	svchost.exe
4548	svchost.exe
4212	svchost.exe
4212	svchost.exe
7380	svchost.exe
7380	svchost.exe
3184	svchost.exe
3184	svchost.exe
9780	svchost.exe
9780	svchost.exe
14428	svchost.exe
14428	svchost.exe
14404	svchost.exe
14404	svchost.exe
12632	svchost.exe
12632	svchost.exe
13944	svchost.exe
13944	svchost.exe
17144	svchost.exe
17144	svchost.exe
17500	svchost.exe
17500	svchost.exe
17168	svchost.exe
17168	svchost.exe
15928	svchost.exe
15928	svchost.exe
15928	svchost.exe
15928	svchost.exe
12988	svchost.exe
12988	svchost.exe
12988	svchost.exe
12988	svchost.exe
21108	svchost.exe
21108	svchost.exe
21108	svchost.exe
21108	svchost.exe
18064	svchost.exe
18064	svchost.exe
18064	svchost.exe
18064	svchost.exe
18064	svchost.exe
18064	svchost.exe
27500	svchost.exe
27500	svchost.exe
27500	svchost.exe
27500	svchost.exe
27500	svchost.exe
27500	svchost.exe
26372	svchost.exe
26372	svchost.exe
26372	svchost.exe
26372	svchost.exe
26372	svchost.exe
26372	svchost.exe
26660	svchost.exe
26660	svchost.exe
26660	svchost.exe
26660	svchost.exe
26660	svchost.exe
26660	svchost.exe
28220	svchost.exe
28220	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2764	RconScanner.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2676	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe
2676	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe
2716	RconScanner.exe
2716	RconScanner.exe
5964	RconScanner.exe
4424	svchost.exe
4424	svchost.exe
4620	svchost.exe
6180	svchost.exe
6180	svchost.exe
4140	svchost.exe
9196	svchost.exe
9196	svchost.exe
7224	svchost.exe
3312	svchost.exe
3312	svchost.exe
2916	svchost.exe
9688	svchost.exe
9688	svchost.exe
9880	svchost.exe
14392	svchost.exe
14392	svchost.exe
14480	svchost.exe
14348	svchost.exe
14348	svchost.exe
14464	svchost.exe
12592	svchost.exe
12592	svchost.exe
12708	svchost.exe
13892	svchost.exe
13892	svchost.exe
14044	svchost.exe
17116	svchost.exe
17116	svchost.exe
17188	svchost.exe
17472	svchost.exe
17472	svchost.exe
17560	svchost.exe
14028	svchost.exe
14028	svchost.exe
17288	svchost.exe
15984	svchost.exe
15984	svchost.exe
15780	svchost.exe
12916	svchost.exe
12916	svchost.exe
11188	svchost.exe
21072	svchost.exe
21072	svchost.exe
21172	svchost.exe
17976	svchost.exe
17976	svchost.exe
18236	svchost.exe
27472	svchost.exe
27472	svchost.exe
27568	svchost.exe
26336	svchost.exe
26336	svchost.exe
26428	svchost.exe
26632	svchost.exe
26632	svchost.exe
26784	svchost.exe
28192	svchost.exe
28192	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2716	2676	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2716	2676	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2716	2676	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2716	2676	5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2764	2716	RconScanner.exe	31
PID 2716 wrote to memory of 2764	2716	RconScanner.exe	31
PID 2716 wrote to memory of 2764	2716	RconScanner.exe	31
PID 2716 wrote to memory of 2764	2716	RconScanner.exe	31
PID 2716 wrote to memory of 2764	2716	RconScanner.exe	31
PID 2716 wrote to memory of 2764	2716	RconScanner.exe	31
PID 2716 wrote to memory of 2764	2716	RconScanner.exe	31
PID 2716 wrote to memory of 2764	2716	RconScanner.exe	31
PID 2716 wrote to memory of 2764	2716	RconScanner.exe	31
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21
PID 2764 wrote to memory of 1200	2764	RconScanner.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5aa0854f2d4548b989704cac16645c99_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\RconScanner.exe
    "C:\Windows\system32\RconScanner.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\RconScanner.exe
      "C:\Windows\SysWOW64\RconScanner.exe"
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        
        PID:1692
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4424
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4548
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 224
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:6272
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:6180
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4212
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 236
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:9144
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:9196
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:7380
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:7224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 220
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:3460
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3312
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3184
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 228
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:9668
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:9688
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:9780
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:9880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9880 -s 224
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:14352
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:14392
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:14428
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:14480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14480 -s 220
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:1356
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:14348
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:14404
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:14464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14464 -s 224
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:12544
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:12592
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:12632
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:12708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12708 -s 220
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:13796
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:13892
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:13944
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:14044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14044 -s 224
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:17080
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:17116
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:17144
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:17188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 17188 -s 224
        9⤵
        Program crash
        
        PID:17436
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:17472
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:17500
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:17560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 17560 -s 224
        9⤵
        Program crash
        
        PID:17024
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:14028
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:17168
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:17288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 17288 -s 224
        9⤵
        Program crash
        
        PID:19432
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:15984
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:15928
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:15780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 15780 -s 224
        9⤵
        Program crash
        
        PID:16304
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:12916
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:12988
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:11188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11188 -s 224
        9⤵
        Program crash
        
        PID:21016
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:21072
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:21108
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:21172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 21172 -s 224
        9⤵
        Program crash
        
        PID:17884
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:17976
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:18064
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:18236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 18236 -s 224
        9⤵
        Program crash
        
        PID:27436
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:27472
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:27500
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:27568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 27568 -s 224
        9⤵
        Program crash
        
        PID:26300
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:26336
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:26372
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:26428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 26428 -s 224
        9⤵
        Program crash
        
        PID:22924
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:26632
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:26660
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:26784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 26784 -s 224
        9⤵
        Program crash
        
        PID:28164
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:28192
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:28220
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        Executes dropped EXE
        
        PID:28284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28284 -s 224
        9⤵
        Program crash
        
        PID:19332
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:23564
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Drops file in Windows directory
        
        PID:23636
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        
        PID:23804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 23804 -s 224
        9⤵
        Program crash
        
        PID:28152
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:28240
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Drops file in Windows directory
        
        PID:28296
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        
        PID:28456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28456 -s 224
        9⤵
        Program crash
        
        PID:27724
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:27792
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Drops file in Windows directory
        
        PID:27928
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        
        PID:28076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28076 -s 224
        9⤵
        Program crash
        
        PID:30392
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:30432
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Drops file in Windows directory
        
        PID:30468
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        
        PID:30556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 30556 -s 224
        9⤵
        Program crash
        
        PID:35452
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:35492
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Drops file in Windows directory
        
        PID:35516
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        
        PID:35588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 35588 -s 224
        9⤵
        Program crash
        
        PID:34784
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:32744
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Drops file in Windows directory
        
        PID:28724
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        
        PID:29752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 29752 -s 224
        9⤵
        Program crash
        
        PID:35492
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:35564
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Drops file in Windows directory
        
        PID:35612
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        8⤵
        
        PID:35716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 35716 -s 228
        9⤵
        Program crash
        
        PID:34948
      - C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        6⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:34980
        
        C:\Windows\Win32\svchost.exe
        
        "C:\Windows\Win32\svchost.exe"
        7⤵
        Drops file in Windows directory
        
        PID:35052
    - - C:\Windows\SysWOW64\RconScanner.exe
        
        "C:\Windows\SysWOW64\RconScanner.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5964
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 228
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
cf635fad47e7ab785d4efaf1b9ee2f2d

SHA1
30255948334354db4547e0e9426f58d38548b062

SHA256
dd7e369dcde54ddf9675e9b1c84cff63443c84f6c79397b1777509d829afd190

SHA512
65c5fbf092657153932ab24003780d4e1bfdfee698b0e9581b6d01681321968a3664f33d828bf66a77e1f9b1fac53df64b235fe4a400e60b248856a6b2df80ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
961317971b1d3abf6cf4ac50359ef83e

SHA1
fd16d308f3b5fc57f14d4793aeb97d64ff18c30e

SHA256
02d9afa12eeddab6a91d18186dc5a533b2a6c17d269e170222b82c60e8ae78c3

SHA512
73f2599ec66f601405e7af5392b5b012e682aa75574db15e722699df945ed9f056a2f057f9ca5d812b9c1429b579e889a558addc76f478880f09ac4da5d096f2

Download Submit
\Windows\SysWOW64\RconScanner.exe

Filesize
619KB

MD5
a3d77a7ff0ce22956948f815f5024904

SHA1
46285fcc78a5a28b591e483323776acaf15ec061

SHA256
9ea1cfc6af3a911fbad25501344303af5487b2c13897104fa4dbf4d127bade48

SHA512
98f45b94227a8048dc579a7d640f8e6a6d85cdad7ce539e8ec3c1dbcd78f83aadfb18bb93f9fd0b904140ddb4adfc72dd71ad89016a21fa9a2453153c5a47016

Download Submit
memory/1200-94-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1692-14250-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/1692-39325-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-26836-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-19341-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-29333-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-19326-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-31829-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-16755-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-16756-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-16748-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-26831-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-6123-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/1692-34328-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-34338-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-14239-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-21836-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-21844-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-41835-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-11213-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-46827-0x0000000008650000-0x0000000008662000-memory.dmp

Filesize
72KB

Download
memory/1692-46834-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-49328-0x0000000008650000-0x0000000008662000-memory.dmp

Filesize
72KB

Download
memory/1692-24339-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-2795-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1692-8706-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-8707-0x0000000008A30000-0x0000000008A42000-memory.dmp

Filesize
72KB

Download
memory/1692-51832-0x0000000008650000-0x0000000008662000-memory.dmp

Filesize
72KB

Download
memory/1692-54334-0x0000000008650000-0x0000000008662000-memory.dmp

Filesize
72KB

Download
memory/1692-2774-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2676-23-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2676-9-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2676-32-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2676-33-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/2676-34-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/2676-35-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/2676-36-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/2676-37-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/2676-38-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/2676-39-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/2676-40-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/2676-41-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/2676-42-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/2676-43-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/2676-44-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/2676-45-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/2676-46-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2676-47-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/2676-48-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/2676-49-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/2676-50-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/2676-51-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/2676-52-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2676-53-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/2676-54-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/2676-61-0x00000000030F0000-0x0000000003102000-memory.dmp

Filesize
72KB

Download
memory/2676-79-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2676-76-0x00000000030F0000-0x0000000003102000-memory.dmp

Filesize
72KB

Download
memory/2676-75-0x00000000030F0000-0x0000000003102000-memory.dmp

Filesize
72KB

Download
memory/2676-74-0x00000000030F0000-0x0000000003102000-memory.dmp

Filesize
72KB

Download
memory/2676-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2676-8-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/2676-3-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/2676-4-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2676-2-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2676-30-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/2676-29-0x0000000000760000-0x0000000000770000-memory.dmp

Filesize
64KB

Download
memory/2676-5-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2676-7-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2676-13-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2676-28-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/2676-27-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2676-25-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/2676-26-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/2676-24-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2676-22-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2676-21-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2676-20-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/2676-19-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2676-15-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2676-18-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2676-17-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2676-16-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2676-1-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2676-6-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2676-31-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2676-10-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2676-11-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/2676-14-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2676-12-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2716-86-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2716-78-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2764-87-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2764-93-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/2764-89-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2764-90-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2764-88-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2764-83-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2764-11212-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3184-16758-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3184-24381-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3312-16752-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3312-16749-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4212-19363-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4424-8711-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4424-8708-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4548-16779-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4548-8713-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4620-8735-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5964-6151-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/6180-11217-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/6180-11214-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/7380-14251-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/7380-21864-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/9196-14246-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/9196-14240-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/9688-19336-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/9780-26879-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/12592-26834-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/12592-26832-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/12632-34360-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/12988-41836-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/12988-49362-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/13892-29331-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/13892-29329-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/13944-36857-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/13944-29335-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/14392-21839-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/14392-21837-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/14404-24340-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/14404-31858-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/14428-29379-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/14428-21845-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/15928-39336-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/15928-46858-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/17116-31832-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/17116-31830-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/17144-39357-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/17144-31836-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/17168-44357-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/17168-36834-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/17472-34329-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/17472-34331-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/17500-34339-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/17500-41856-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/18064-46835-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/21072-44328-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/21072-44326-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/21108-51864-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/26336-51833-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/26336-51836-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/26372-51840-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/27472-49340-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/27472-49329-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/27500-49341-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download