Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 20:08

General

  • Target

    ad7376353773464755502b50dea5fabd_JaffaCakes118.exe

  • Size

    2.6MB

  • MD5

    ad7376353773464755502b50dea5fabd

  • SHA1

    0d9d5e10885659ec3925db9cfb17cadf20e1293c

  • SHA256

    6f3e7496171fc07feb0c1dfecf7d6bb367c15836acb5571b2f9fc4f980db2a32

  • SHA512

    036e68309853dd2793bd95246243e85125c12bbb093a6572df8ff35b0ea189b81b44aa25f852432b40e393ede014bb6b7d25ef5df826fe30d642b609e7096afe

  • SSDEEP

    49152:UWSaaeEQcNm036hvpmIXUXg2z1qRJKvYG8OlA82MNg9/Et:NSaaeExE0ERUwe1aJKQhuND

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

PC

C2

etoneratnik.ddns.net:28015

localhost:28015

Mutex

FCK_RAT_1WsrmPyKlRpwcMNdsv

Attributes
  • encryption_key

    hUeALvSVdWkKP5gkYVqc

  • install_name

    stеamwеbhеlper.exe

  • log_directory

    Logs

  • reconnect_delay

    2000

  • startup_key

    Steam Client WebHelper (32 бита)

  • subdirectory

    Steam

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 44 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs
  • Checks BIOS information in registry 2 TTPs 28 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 13 IoCs
  • Identifies Wine through registry keys 2 TTPs 14 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 14 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 14 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad7376353773464755502b50dea5fabd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ad7376353773464755502b50dea5fabd_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ad7376353773464755502b50dea5fabd_JaffaCakes118.exe" /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2252
    • C:\Program Files (x86)\Steam\stеamwеbhеlper.exe
      "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2916
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SQJKfmBU72J7.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2704
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2940
        • C:\Program Files (x86)\Steam\stеamwеbhеlper.exe
          "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Checks whether UAC is enabled
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2076
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUKVFjARv3Cm.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1616
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1352
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1360
            • C:\Program Files (x86)\Steam\stеamwеbhеlper.exe
              "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Checks whether UAC is enabled
              • Writes to the Master Boot Record (MBR)
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1680
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2516
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\uHKorPUjDmZp.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1900
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:880
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2488
                • C:\Program Files (x86)\Steam\stеamwеbhеlper.exe
                  "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"
                  8⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Checks whether UAC is enabled
                  • Writes to the Master Boot Record (MBR)
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:2432
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:932
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\aPmBoaycZCYC.bat" "
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2936
                    • C:\Windows\SysWOW64\chcp.com
                      chcp 65001
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2952
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 10 localhost
                      10⤵
                      • System Location Discovery: System Language Discovery
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:2908
                    • C:\Program Files (x86)\Steam\stеamwеbhеlper.exe
                      "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"
                      10⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Checks whether UAC is enabled
                      • Writes to the Master Boot Record (MBR)
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Drops file in Program Files directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      PID:2628
                      • C:\Windows\SysWOW64\schtasks.exe
                        "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f
                        11⤵
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:844
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9Vc5CH7st18k.bat" "
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2504
                        • C:\Windows\SysWOW64\chcp.com
                          chcp 65001
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:404
                        • C:\Windows\SysWOW64\PING.EXE
                          ping -n 10 localhost
                          12⤵
                          • System Location Discovery: System Language Discovery
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Runs ping.exe
                          PID:480
                        • C:\Program Files (x86)\Steam\stеamwеbhеlper.exe
                          "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"
                          12⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Checks whether UAC is enabled
                          • Writes to the Master Boot Record (MBR)
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Drops file in Program Files directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of SetWindowsHookEx
                          PID:1044
                          • C:\Windows\SysWOW64\schtasks.exe
                            "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f
                            13⤵
                            • System Location Discovery: System Language Discovery
                            • Scheduled Task/Job: Scheduled Task
                            PID:1040
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcFiMjRSjeQD.bat" "
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:832
                            • C:\Windows\SysWOW64\chcp.com
                              chcp 65001
                              14⤵
                              • System Location Discovery: System Language Discovery
                              PID:872
                            • C:\Windows\SysWOW64\PING.EXE
                              ping -n 10 localhost
                              14⤵
                              • System Location Discovery: System Language Discovery
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:2160
                            • C:\Program Files (x86)\Steam\stеamwеbhеlper.exe
                              "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"
                              14⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Checks whether UAC is enabled
                              • Writes to the Master Boot Record (MBR)
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Drops file in Program Files directory
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              PID:1544
                              • C:\Windows\SysWOW64\schtasks.exe
                                "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f
                                15⤵
                                • System Location Discovery: System Language Discovery
                                • Scheduled Task/Job: Scheduled Task
                                PID:1700
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\BayJtDSsRp7z.bat" "
                                15⤵
                                • System Location Discovery: System Language Discovery
                                PID:2796
                                • C:\Windows\SysWOW64\chcp.com
                                  chcp 65001
                                  16⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1488
                                • C:\Windows\SysWOW64\PING.EXE
                                  ping -n 10 localhost
                                  16⤵
                                  • System Location Discovery: System Language Discovery
                                  • System Network Configuration Discovery: Internet Connection Discovery
                                  • Runs ping.exe
                                  PID:2928
                                • C:\Program Files (x86)\Steam\stеamwеbhеlper.exe
                                  "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"
                                  16⤵
                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                  • Checks BIOS information in registry
                                  • Executes dropped EXE
                                  • Identifies Wine through registry keys
                                  • Checks whether UAC is enabled
                                  • Writes to the Master Boot Record (MBR)
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • Drops file in Program Files directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2840
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f
                                    17⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:288
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ohcx4fmSGSOR.bat" "
                                    17⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3016
                                    • C:\Windows\SysWOW64\chcp.com
                                      chcp 65001
                                      18⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1136
                                    • C:\Windows\SysWOW64\PING.EXE
                                      ping -n 10 localhost
                                      18⤵
                                      • System Location Discovery: System Language Discovery
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:2584
                                    • C:\Program Files (x86)\Steam\stеamwеbhеlper.exe
                                      "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"
                                      18⤵
                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Identifies Wine through registry keys
                                      • Checks whether UAC is enabled
                                      • Writes to the Master Boot Record (MBR)
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • Drops file in Program Files directory
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2620
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f
                                        19⤵
                                        • System Location Discovery: System Language Discovery
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1248
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tTKx9NEvghBd.bat" "
                                        19⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2096
                                        • C:\Windows\SysWOW64\chcp.com
                                          chcp 65001
                                          20⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:852
                                        • C:\Windows\SysWOW64\PING.EXE
                                          ping -n 10 localhost
                                          20⤵
                                          • System Location Discovery: System Language Discovery
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:1616
                                        • C:\Program Files (x86)\Steam\stеamwеbhеlper.exe
                                          "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"
                                          20⤵
                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                          • Checks BIOS information in registry
                                          • Executes dropped EXE
                                          • Identifies Wine through registry keys
                                          • Checks whether UAC is enabled
                                          • Writes to the Master Boot Record (MBR)
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          • Drops file in Program Files directory
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of SetWindowsHookEx
                                          PID:928
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f
                                            21⤵
                                            • System Location Discovery: System Language Discovery
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3052
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c ""C:\Users\Admin\AppData\Local\Temp\WUnPaVxSKEkv.bat" "
                                            21⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:1044
                                            • C:\Windows\SysWOW64\chcp.com
                                              chcp 65001
                                              22⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2268
                                            • C:\Windows\SysWOW64\PING.EXE
                                              ping -n 10 localhost
                                              22⤵
                                              • System Location Discovery: System Language Discovery
                                              • System Network Configuration Discovery: Internet Connection Discovery
                                              • Runs ping.exe
                                              PID:1000
                                            • C:\Program Files (x86)\Steam\stеamwеbhеlper.exe
                                              "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"
                                              22⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Checks whether UAC is enabled
                                              • Writes to the Master Boot Record (MBR)
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • Drops file in Program Files directory
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1820
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f
                                                23⤵
                                                • System Location Discovery: System Language Discovery
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:612
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\PApng7XNu2iu.bat" "
                                                23⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2180
                                                • C:\Windows\SysWOW64\chcp.com
                                                  chcp 65001
                                                  24⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2872
                                                • C:\Windows\SysWOW64\PING.EXE
                                                  ping -n 10 localhost
                                                  24⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:1468
                                                • C:\Program Files (x86)\Steam\stеamwеbhеlper.exe
                                                  "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"
                                                  24⤵
                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                  • Checks BIOS information in registry
                                                  • Executes dropped EXE
                                                  • Identifies Wine through registry keys
                                                  • Checks whether UAC is enabled
                                                  • Writes to the Master Boot Record (MBR)
                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                  • Drops file in Program Files directory
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:1268
                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                    "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f
                                                    25⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2824
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\mctUC40YnNbh.bat" "
                                                    25⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:932
                                                    • C:\Windows\SysWOW64\chcp.com
                                                      chcp 65001
                                                      26⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2252
                                                    • C:\Windows\SysWOW64\PING.EXE
                                                      ping -n 10 localhost
                                                      26⤵
                                                      • System Location Discovery: System Language Discovery
                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                      • Runs ping.exe
                                                      PID:288
                                                    • C:\Program Files (x86)\Steam\stеamwеbhеlper.exe
                                                      "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"
                                                      26⤵
                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                      • Checks BIOS information in registry
                                                      • Executes dropped EXE
                                                      • Identifies Wine through registry keys
                                                      • Checks whether UAC is enabled
                                                      • Writes to the Master Boot Record (MBR)
                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                      • Drops file in Program Files directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:2864
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        "schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f
                                                        27⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2308
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYV3Qq0q7H1g.bat" "
                                                        27⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2144
                                                        • C:\Windows\SysWOW64\chcp.com
                                                          chcp 65001
                                                          28⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2624
                                                        • C:\Windows\SysWOW64\PING.EXE
                                                          ping -n 10 localhost
                                                          28⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:1248
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1628
                                                        27⤵
                                                        • Loads dropped DLL
                                                        • Program crash
                                                        PID:480
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1576
                                                    25⤵
                                                    • Loads dropped DLL
                                                    • Program crash
                                                    PID:2432
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1608
                                                23⤵
                                                • Loads dropped DLL
                                                • Program crash
                                                PID:2508
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 1616
                                            21⤵
                                            • Loads dropped DLL
                                            • Program crash
                                            PID:2848
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1584
                                        19⤵
                                        • Loads dropped DLL
                                        • Program crash
                                        PID:2384
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1636
                                    17⤵
                                    • Loads dropped DLL
                                    • Program crash
                                    PID:2140
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1596
                                15⤵
                                • Loads dropped DLL
                                • Program crash
                                PID:2108
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1608
                            13⤵
                            • Loads dropped DLL
                            • Program crash
                            PID:2548
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1600
                        11⤵
                        • Loads dropped DLL
                        • Program crash
                        PID:2116
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1604
                    9⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:2980
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1616
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:1908
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1608
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:592
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 1624
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\mntemp

    Filesize

    16B

    MD5

    5e8f2c353e1dfd37b50552309f381dec

    SHA1

    c5c8ac1ea59bd7fb9cd2b6fb3b99b79bc0269110

    SHA256

    731b57d61b7b8068204682adcc13f019cbdcccd184be56a806c8094d732d937b

    SHA512

    73edbdf23d7c07902709bd7d8a6181e12caa4675b0194c35f27be917226f8661a90e5e4ecc28b1917e8be8801aac9dba6f278e584a2b3b6e557cb86fd4063672

  • C:\Users\Admin\AppData\Local\Temp\9Vc5CH7st18k.bat

    Filesize

    209B

    MD5

    085eb06c2318d1c98058d3a7dcbe0efc

    SHA1

    2a3e3972a376cc772401657725decc2c6e758ffe

    SHA256

    5cf1c0f7ed2de81caf84b2ab9a38b3c801662a47b6ee1ed9edd05ea0f592e0eb

    SHA512

    a670bc6d7637b65b74b55619a194df02a8ac79bd3763f37c40d84888989c6685698212dfbf92727b34fc39811d6d865d4f05142d5e9f63f77e9e36b5b1562885

  • C:\Users\Admin\AppData\Local\Temp\BayJtDSsRp7z.bat

    Filesize

    209B

    MD5

    2e8cfe59141668c6246721350b95524b

    SHA1

    3d26444fe44f7afa5e9280356355443c0194354c

    SHA256

    458a40c4d814512eb0476b9e475b9ee3f54b0c2318f6246574a24b8408b5095b

    SHA512

    24ad065fb7efd0025b40cae42693b2e32171799bc7d1d48873fd65f5430e1884f05b4e3d1f107ed69e65947580d22b179d8726dce5d109e0a106e7c38a1911a1

  • C:\Users\Admin\AppData\Local\Temp\HYV3Qq0q7H1g.bat

    Filesize

    209B

    MD5

    7d867c47872855d314762269711c874f

    SHA1

    100e2b17d6abda18d1df6f32835ba31a56f4d7ca

    SHA256

    866af79d4d583f5305b1468713bcc111acd5487a459f4a8de0988483f39e8193

    SHA512

    e31ebedf13449a1a509891369f71808e8a3b7a00f69e9a37f5b506f1e69d64d79446db9fe99bde03a5d960fe865682d9474d7effa9ed302463d2ea6003869a61

  • C:\Users\Admin\AppData\Local\Temp\PApng7XNu2iu.bat

    Filesize

    209B

    MD5

    d214c5fe4190381c8d66ca541582bbf9

    SHA1

    7a153ffa61d10de78f27e534f5cb2ab6042be476

    SHA256

    ffb67b1e94a88edaabc9033bc9c2145ffcaba49f84ddf955a8656f0ed6297572

    SHA512

    048b46137f39bc6b03503b8c43ffb73a21db3f5f11aff768d997616b89e6023a0d05d82ae60dff384c01c533116c1436b4876f679e7c5a6252ffe89286794d28

  • C:\Users\Admin\AppData\Local\Temp\SQJKfmBU72J7.bat

    Filesize

    209B

    MD5

    331e291e34967c6fb8b9acc8d398a1f6

    SHA1

    eff9de104d94dbf43b1c4d48f37c447e035455da

    SHA256

    43dd060c71a9eb20286a0a708b8a7af69ee18dc3952123cd8c020f625bb7e480

    SHA512

    3a0151534dcef679108c1c99fc45313f761c1b3a06522bc934c1e9240509a78cb794e269eaff0866ed97c00af294797b3ca18c5327f7ea35b0d0c0063f78ea40

  • C:\Users\Admin\AppData\Local\Temp\WUnPaVxSKEkv.bat

    Filesize

    209B

    MD5

    56964254b573f7cb01a7423f6fe19f23

    SHA1

    ac0d88489281329c81c4c291df68a6081c5f7857

    SHA256

    a65c06ee2fa4f7f6c7143c2251f80625674ab4b733f886274fa14ef742f71eab

    SHA512

    f29aee2024a28e8af7209f0be1ee70ad7ed9207d1a6e354cdbbe2ff48245c62da169a1a9680a17ad52176194e9804a1b5ef41c89c1c7feb03c04f5c632600102

  • C:\Users\Admin\AppData\Local\Temp\aPmBoaycZCYC.bat

    Filesize

    209B

    MD5

    878900b3b9f0702bde25881e9742e77d

    SHA1

    495d3fe9eb7badf3b3e794c2560c209b12c897a8

    SHA256

    059aedac799c1c318d8a70b9b9ec1196fdb474cae79c59ca717b6d8322f0ccf1

    SHA512

    4e33beb9b4bfef9d2491249f3f0ef201d5adb0b409757154484de90f37ab425545f034925424b70b594775a07b6b7bbdd37264625dfc7f92982c7e8266a5491a

  • C:\Users\Admin\AppData\Local\Temp\mcFiMjRSjeQD.bat

    Filesize

    209B

    MD5

    ca3670023a9176b3a4bc53887dc55100

    SHA1

    2945ddb38571f95aabf4ded61fdc0f2501baabda

    SHA256

    0ebe451dbeeefe45606ccdf079c015196c712d2b9ddcb4d2312626ea4acf8c93

    SHA512

    5a0ef994b9b58f850aa07a132027e62bfc98fabd805b85a14a9b2b721405a279d23a3fc56cc302b0737fc91aa81b1fab0620c4706b64ad95bb6b2936750f97be

  • C:\Users\Admin\AppData\Local\Temp\mctUC40YnNbh.bat

    Filesize

    209B

    MD5

    90360de647a9466dde0a71ea9f745500

    SHA1

    1fcc32c91541e823ed2374f481bd8d21f53b190a

    SHA256

    6fb783713e3089f2075fe5bcb05b5f4b4fdfe21e63d798c7b0a6fc94d7f7dd89

    SHA512

    6788eae055b3a88547c59047014d65b3375020036390af91636c45d232db9ec581d812eef79e6c8991e8a01a194532ca5b97ae812742b64529047f84a4496d9b

  • C:\Users\Admin\AppData\Local\Temp\ohcx4fmSGSOR.bat

    Filesize

    209B

    MD5

    7d0bb31a11015c0a08c2f28c764e470a

    SHA1

    c1a44947d58f1c2a4b034d441ef31ff5cdb622de

    SHA256

    64b46e6663dfef71bd92887f0037ececfa1732c25319d807625fd6fb822f7b10

    SHA512

    63dd95fb0e3a1faf25b40e8a4a009023c45e4fc9bc053b7b2d63810db11cc506f000c096db8dc09cbbfaaa0f3a76e625672fd055eaf30691196d150c37432c4f

  • C:\Users\Admin\AppData\Local\Temp\tTKx9NEvghBd.bat

    Filesize

    209B

    MD5

    7184a7cb232a3f7e8e4f7b387a5fa53b

    SHA1

    82d2d88d4b86b5e2e550e1fc02140ff1d7b9daf4

    SHA256

    39d5690fd2cedbd644e1760de825214b831c365e12c559caa70ceabb5eccc0a2

    SHA512

    94e5fd07b9cfa98e79dd7c57c271fc05be84ad521595057b2bc6d45efdfc196b6358943e376768582fc9c945022f65170215e9f6fcfdc4c1f104938c8840ae2e

  • C:\Users\Admin\AppData\Local\Temp\uHKorPUjDmZp.bat

    Filesize

    209B

    MD5

    1b079a302edb52e62daba9499879a803

    SHA1

    1cc4e32ff626d357a9834e6a1e676394e92fd3e8

    SHA256

    c3bd30dd1ab756ab3b206591f7123bf1bebd88b3280426f4200aabb0f8371170

    SHA512

    52ce364ab12f0b8e515f951bbfd9a5108d03cc2481fe0fd69713758012820fe18dc42fec0ff48ea7024281b6d33b84ca458a230a29d301d773640025b99a79c3

  • C:\Users\Admin\AppData\Local\Temp\yUKVFjARv3Cm.bat

    Filesize

    209B

    MD5

    288652c82934a586b8fdbd3946610658

    SHA1

    6ba5231c86837f66604df0e52ca7962fd2fd8c45

    SHA256

    985ddd2f2897b4d9bbac0a14779ebe0da9f41ba803238fec7bdb530af73b4f4b

    SHA512

    bc2dff917ddd49ee6cd0ae2e9bcc860215f16e2a91d6a5bc4877febbba70fd94d501ce31108ba9720b89b2d6602ebdb583f6298caf558344622ca6413f6d3d20

  • C:\Users\Admin\AppData\Roaming\Logs\11-28-2024

    Filesize

    224B

    MD5

    ddd37f7965c8aaa85f4459e9634a3ca7

    SHA1

    21ae3a48fb05279b18e2807f1e06608fda0f4b67

    SHA256

    a4ddf5ded17e91a55f742b774d1311fde8aba36eba9305ab449fea6671a49159

    SHA512

    f359279d0e8282e132b9fae757a95d1529a2ee5cfdeddf40cfd8e8db8ebe45598121c0bfc305be15a330ee83d363cfc89b3cc39248bea99a4f321cbf1a644c2f

  • C:\Users\Admin\AppData\Roaming\Logs\11-28-2024

    Filesize

    224B

    MD5

    81c5a15b18384e75817a305777cfef5f

    SHA1

    6bd1a4e2997f1b5fd1aad921d2f3497a63d17d25

    SHA256

    2a377f674b354893bbde978396e974bedd1476f9959cfe92cfe9af625d8b1e72

    SHA512

    4f081a89e8d406838729559fc824c1f7e15d5409e8a37a60ff1e45254a8d8e255ff06cd07c384e1288cd165d52767a7388e1e2a07af6a7aff55a317714035dea

  • C:\Users\Admin\AppData\Roaming\Logs\11-28-2024

    Filesize

    224B

    MD5

    4ae7e3d8f5f3a85928d7cdfb4bb0525f

    SHA1

    6bb9193a21de09311fc9ff1b0d85f51f0184f25b

    SHA256

    a204711623639964b01da84627a3bd7605ceff14db8f20ac55073e5b7d86fdf1

    SHA512

    db0b5d84960f49adbf50f94c2a96d6f4b15093b16a4acce8105c5dc10f86971adf9abc7c39e631edcf41e68fd61f3c48a8138ed96cb3c3abafc519e7d4ce7418

  • C:\Users\Admin\AppData\Roaming\Logs\11-28-2024

    Filesize

    224B

    MD5

    aa0d6bf5ad4abe767352ef6d038bad67

    SHA1

    7ab597235fc96e3d1541de3353fe54909d99301f

    SHA256

    e8efba61e8fc14fc22409ed6c5843871c627597b001b5f03105cf08bb7c3c88e

    SHA512

    e9a2751cd690057c00face469cd4952603f9ce2db2dcc18b7d1d4cd7f760f2fe9070b22be99250945a2d3a9aafa7f922e4ea93bed3e588254ae77240db719c72

  • C:\Users\Admin\AppData\Roaming\Logs\11-28-2024

    Filesize

    224B

    MD5

    a7d261d74ec2a8542d1cf87ff0b0b3f8

    SHA1

    e270cf4c124b7f4d2acc9a90e2f3521069c19e3b

    SHA256

    b73be3ee12e189c55c763135f64d0183bc4c1c5ef041eac49f75325868ce6988

    SHA512

    03607c4ed20627e48a686f72826b977ea4b25b477a19dc8dbc260a08fddd6491a406a84c5b243fa39a26c4f6765f2a32f5585dad3f5e02e051959c45db898c3e

  • C:\Users\Admin\AppData\Roaming\Logs\11-28-2024

    Filesize

    224B

    MD5

    76eaa42c893b36602d583ca4f9ae5d5f

    SHA1

    177577dff5e222b975503ace39499c394f0f906b

    SHA256

    07e586784770383ce2daaad0bfc0f646633867613534912400de2cb2fb48fbdc

    SHA512

    bfa7867a8a76cd67ffcd8856599237a3d7cded4b3490eb06ebcde2e1f62437326beb17da7a5cdeb04725aac1a6a6241378cba20e20c05bf4fc0f4e1a98c501b2

  • C:\Users\Admin\AppData\Roaming\Logs\11-28-2024

    Filesize

    224B

    MD5

    23337a8b01619b610252e72fceef852b

    SHA1

    cfb1859b39a15e1d42a0cafb80d4015a8ba5ac32

    SHA256

    434dde652a662527cb44c0bbc3d233f0c9b1c5d0bef1d5edcaf8c5746e8a65a2

    SHA512

    1bb2023e19789971b74781459c94bf1c71ba672c3b140f92191503a0e6bbd37ec726c03b86ed9ef9aa44011fe8cd865e79fcaa4a1b7ad8ef8cdb929dccb77691

  • \Program Files (x86)\Steam\stеamwеbhеlper.exe

    Filesize

    2.6MB

    MD5

    ad7376353773464755502b50dea5fabd

    SHA1

    0d9d5e10885659ec3925db9cfb17cadf20e1293c

    SHA256

    6f3e7496171fc07feb0c1dfecf7d6bb367c15836acb5571b2f9fc4f980db2a32

    SHA512

    036e68309853dd2793bd95246243e85125c12bbb093a6572df8ff35b0ea189b81b44aa25f852432b40e393ede014bb6b7d25ef5df826fe30d642b609e7096afe

  • memory/928-207-0x0000000000300000-0x00000000008C6000-memory.dmp

    Filesize

    5.8MB

  • memory/928-196-0x0000000000300000-0x00000000008C6000-memory.dmp

    Filesize

    5.8MB

  • memory/928-195-0x0000000000300000-0x00000000008C6000-memory.dmp

    Filesize

    5.8MB

  • memory/1044-123-0x00000000010E0000-0x00000000016A6000-memory.dmp

    Filesize

    5.8MB

  • memory/1044-121-0x00000000010E0000-0x00000000016A6000-memory.dmp

    Filesize

    5.8MB

  • memory/1044-122-0x00000000010E0000-0x00000000016A6000-memory.dmp

    Filesize

    5.8MB

  • memory/1044-141-0x00000000010E0000-0x00000000016A6000-memory.dmp

    Filesize

    5.8MB

  • memory/1268-221-0x0000000000220000-0x00000000007E6000-memory.dmp

    Filesize

    5.8MB

  • memory/1268-233-0x0000000000220000-0x00000000007E6000-memory.dmp

    Filesize

    5.8MB

  • memory/1268-222-0x0000000000220000-0x00000000007E6000-memory.dmp

    Filesize

    5.8MB

  • memory/1544-143-0x00000000010E0000-0x00000000016A6000-memory.dmp

    Filesize

    5.8MB

  • memory/1544-144-0x00000000010E0000-0x00000000016A6000-memory.dmp

    Filesize

    5.8MB

  • memory/1544-162-0x00000000010E0000-0x00000000016A6000-memory.dmp

    Filesize

    5.8MB

  • memory/1680-57-0x0000000000360000-0x0000000000926000-memory.dmp

    Filesize

    5.8MB

  • memory/1680-58-0x0000000000360000-0x0000000000926000-memory.dmp

    Filesize

    5.8MB

  • memory/1680-56-0x0000000000360000-0x0000000000926000-memory.dmp

    Filesize

    5.8MB

  • memory/1680-76-0x0000000000360000-0x0000000000926000-memory.dmp

    Filesize

    5.8MB

  • memory/1820-208-0x0000000000040000-0x0000000000606000-memory.dmp

    Filesize

    5.8MB

  • memory/1820-209-0x0000000000040000-0x0000000000606000-memory.dmp

    Filesize

    5.8MB

  • memory/1820-220-0x0000000000040000-0x0000000000606000-memory.dmp

    Filesize

    5.8MB

  • memory/1960-2-0x0000000000BC0000-0x0000000001186000-memory.dmp

    Filesize

    5.8MB

  • memory/1960-3-0x0000000000BC0000-0x0000000001186000-memory.dmp

    Filesize

    5.8MB

  • memory/1960-0-0x0000000000BC0000-0x0000000001186000-memory.dmp

    Filesize

    5.8MB

  • memory/1960-12-0x0000000000BC0000-0x0000000001186000-memory.dmp

    Filesize

    5.8MB

  • memory/2432-98-0x00000000002C0000-0x0000000000886000-memory.dmp

    Filesize

    5.8MB

  • memory/2432-78-0x00000000002C0000-0x0000000000886000-memory.dmp

    Filesize

    5.8MB

  • memory/2432-79-0x00000000002C0000-0x0000000000886000-memory.dmp

    Filesize

    5.8MB

  • memory/2432-80-0x00000000002C0000-0x0000000000886000-memory.dmp

    Filesize

    5.8MB

  • memory/2620-194-0x00000000012B0000-0x0000000001876000-memory.dmp

    Filesize

    5.8MB

  • memory/2620-182-0x00000000012B0000-0x0000000001876000-memory.dmp

    Filesize

    5.8MB

  • memory/2620-183-0x00000000012B0000-0x0000000001876000-memory.dmp

    Filesize

    5.8MB

  • memory/2628-119-0x00000000010E0000-0x00000000016A6000-memory.dmp

    Filesize

    5.8MB

  • memory/2628-101-0x00000000010E0000-0x00000000016A6000-memory.dmp

    Filesize

    5.8MB

  • memory/2628-100-0x00000000010E0000-0x00000000016A6000-memory.dmp

    Filesize

    5.8MB

  • memory/2820-10-0x0000000000230000-0x00000000007F6000-memory.dmp

    Filesize

    5.8MB

  • memory/2820-33-0x0000000000230000-0x00000000007F6000-memory.dmp

    Filesize

    5.8MB

  • memory/2820-16-0x0000000000230000-0x00000000007F6000-memory.dmp

    Filesize

    5.8MB

  • memory/2820-15-0x0000000000230000-0x00000000007F6000-memory.dmp

    Filesize

    5.8MB

  • memory/2840-181-0x00000000010E0000-0x00000000016A6000-memory.dmp

    Filesize

    5.8MB

  • memory/2840-165-0x00000000010E0000-0x00000000016A6000-memory.dmp

    Filesize

    5.8MB

  • memory/2840-164-0x00000000010E0000-0x00000000016A6000-memory.dmp

    Filesize

    5.8MB

  • memory/2864-234-0x00000000000E0000-0x00000000006A6000-memory.dmp

    Filesize

    5.8MB

  • memory/2864-235-0x00000000000E0000-0x00000000006A6000-memory.dmp

    Filesize

    5.8MB

  • memory/2864-246-0x00000000000E0000-0x00000000006A6000-memory.dmp

    Filesize

    5.8MB

  • memory/2996-35-0x0000000000990000-0x0000000000F56000-memory.dmp

    Filesize

    5.8MB

  • memory/2996-36-0x0000000000990000-0x0000000000F56000-memory.dmp

    Filesize

    5.8MB

  • memory/2996-54-0x0000000000990000-0x0000000000F56000-memory.dmp

    Filesize

    5.8MB