goldenspy | 20932b2151de5f0dc5c1159fbc1d2d004f069bb04d32d66dc7fa5b7b9eac1aa7

Analysis

max time kernel
142s
max time network
143s
platform
windows10_x64
resource
win10v200430
submitted
02-07-2020 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GoldenSpy (6).exe
Size

366KB
MD5

b363e855f613233848a0a89216488bfb
SHA1

c897972dfd26a07591cabbeeeeeb1db18f2f21d4
SHA256

20932b2151de5f0dc5c1159fbc1d2d004f069bb04d32d66dc7fa5b7b9eac1aa7
SHA512

47d65f9d64e2d9fd5fe78731d990dadb6148240477dc20ef9305ae5d32345ef2d28e82a10d40e2139141bf0c25556eb633b0c7cf1139989ec0bf0a610d6efeda

Score

10^/10

trojan backdoor goldenspy persistence

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4028 created 2704	4028	WerFault.exe	svm.exe
PID 4000 created 3572	4000	WerFault.exe	svm.exe
PID 1064 created 2904	1064	WerFault.exe	svm.exe
PID 1000 created 2208	1000	WerFault.exe	svm.exe
PID 2304 created 1140	2304	WerFault.exe	svm.exe
PID 2148 created 2124	2148	WerFault.exe	svm.exe
PID 3692 created 3764	3692	WerFault.exe	svm.exe
PID 3608 created 652	3608	WerFault.exe	svm.exe
PID 3404 created 3632	3404	WerFault.exe	svm.exe
PID 3384 created 1360	3384	WerFault.exe	svm.exe
PID 3772 created 3860	3772	WerFault.exe	svm.exe
PID 1772 created 2124	1772	WerFault.exe	svm.exe
PID 820 created 4076	820	WerFault.exe	svm.exe

GoldenSpy
Backdoor spotted in June 2020 being distributed with the Chinese "Intelligent Tax" software.
trojan backdoor goldenspy

Drops file in System32 directory 30 IoCs

Processes:

svm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe

Modifies data under HKEY_USERS 104 IoCs

Processes:

svm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe

Drops file in Program Files directory 15 IoCs

Processes:

svmm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exeGoldenSpy (6).exesvm.exesvm.exesvm.exesvm.exesvm.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svmm.log	svmm.exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe
File created	C:\Program Files (x86)\svm\svm.exe	GoldenSpy (6).exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe

Loads dropped DLL 4 IoCs

Processes:

GoldenSpy (6).exe

pid process

1652 GoldenSpy (6).exe
1652 GoldenSpy (6).exe
1652 GoldenSpy (6).exe
1652 GoldenSpy (6).exe

Suspicious behavior: EnumeratesProcesses 199 IoCs

Processes:

GoldenSpy (6).exesvmm.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
1652	GoldenSpy (6).exe
1652	GoldenSpy (6).exe
1652	GoldenSpy (6).exe
1652	GoldenSpy (6).exe
4072	svmm.exe
4072	svmm.exe
4028	WerFault.exe
4028	WerFault.exe
4028	WerFault.exe
4028	WerFault.exe
4028	WerFault.exe
4028	WerFault.exe
4028	WerFault.exe
4028	WerFault.exe
4028	WerFault.exe
4028	WerFault.exe
4028	WerFault.exe
4028	WerFault.exe
4028	WerFault.exe
4072	svmm.exe
4072	svmm.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4072	svmm.exe
4072	svmm.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
4072	svmm.exe
4072	svmm.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

GoldenSpy (6).exesvmm.exe

description	pid	process	target process
PID 1652 wrote to memory of 1928	1652	GoldenSpy (6).exe	svm.exe
PID 1652 wrote to memory of 1928	1652	GoldenSpy (6).exe	svm.exe
PID 1652 wrote to memory of 1928	1652	GoldenSpy (6).exe	svm.exe
PID 1652 wrote to memory of 2120	1652	GoldenSpy (6).exe	svmm.exe
PID 1652 wrote to memory of 2120	1652	GoldenSpy (6).exe	svmm.exe
PID 1652 wrote to memory of 2120	1652	GoldenSpy (6).exe	svmm.exe
PID 1652 wrote to memory of 2492	1652	GoldenSpy (6).exe	svm.exe
PID 1652 wrote to memory of 2492	1652	GoldenSpy (6).exe	svm.exe
PID 1652 wrote to memory of 2492	1652	GoldenSpy (6).exe	svm.exe
PID 1652 wrote to memory of 2568	1652	GoldenSpy (6).exe	svmm.exe
PID 1652 wrote to memory of 2568	1652	GoldenSpy (6).exe	svmm.exe
PID 1652 wrote to memory of 2568	1652	GoldenSpy (6).exe	svmm.exe
PID 4072 wrote to memory of 3060	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 3060	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 3060	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 868	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 868	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 868	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 3360	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 3360	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 3360	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 1192	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 1192	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 1192	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 2096	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 2096	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 2096	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 1920	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 1920	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 1920	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 1672	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 1672	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 1672	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 376	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 376	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 376	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 356	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 356	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 356	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 4028	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 4028	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 4028	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 2192	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 2192	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 2192	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 3704	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 3704	4072	svmm.exe	svm.exe
PID 4072 wrote to memory of 3704	4072	svmm.exe	svm.exe

Modifies service 2 TTPs 6 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svm.exesvmm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\svm	svm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\svm\EventMessageFile = "C:\\Program Files (x86)\\svm\\svm.exe"	svm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\svm\TypesSupported = "7"	svm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\svmm	svmm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\svmm\EventMessageFile = "C:\\Program Files (x86)\\svm\\svmm.exe"	svmm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\svmm\TypesSupported = "7"	svmm.exe

GoldenSpy Payload 32 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload

Executes dropped EXE 30 IoCs

Processes:

svm.exesvmm.exesvm.exesvm.exesvmm.exesvmm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exe

pid	process
1928	svm.exe
2120	svmm.exe
2492	svm.exe
2704	svm.exe
2568	svmm.exe
4072	svmm.exe
3060	svm.exe
3572	svm.exe
868	svm.exe
2904	svm.exe
3360	svm.exe
2208	svm.exe
1192	svm.exe
1140	svm.exe
2096	svm.exe
2124	svm.exe
1920	svm.exe
3764	svm.exe
1672	svm.exe
652	svm.exe
376	svm.exe
3632	svm.exe
356	svm.exe
1360	svm.exe
4028	svm.exe
3860	svm.exe
2192	svm.exe
2124	svm.exe
3704	svm.exe
4076	svm.exe

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4028	2704	WerFault.exe	svm.exe
4000	3572	WerFault.exe	svm.exe
1064	2904	WerFault.exe	svm.exe
1000	2208	WerFault.exe	svm.exe
2304	1140	WerFault.exe	svm.exe
2148	2124	WerFault.exe	svm.exe
3692	3764	WerFault.exe	svm.exe
3608	652	WerFault.exe	svm.exe
3404	3632	WerFault.exe	svm.exe
3384	1360	WerFault.exe	svm.exe
3772	3860	WerFault.exe	svm.exe
1772	2124	WerFault.exe	svm.exe
820	4076	WerFault.exe	svm.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	4028	WerFault.exe
Token: SeBackupPrivilege	4028	WerFault.exe
Token: SeDebugPrivilege	4028	WerFault.exe
Token: SeDebugPrivilege	4000	WerFault.exe
Token: SeDebugPrivilege	1064	WerFault.exe
Token: SeDebugPrivilege	1000	WerFault.exe
Token: SeDebugPrivilege	2304	WerFault.exe
Token: SeDebugPrivilege	2148	WerFault.exe
Token: SeDebugPrivilege	3692	WerFault.exe
Token: SeDebugPrivilege	3608	WerFault.exe
Token: SeDebugPrivilege	3404	WerFault.exe
Token: SeDebugPrivilege	3384	WerFault.exe
Token: SeDebugPrivilege	3772	WerFault.exe
Token: SeDebugPrivilege	1772	WerFault.exe
Token: SeDebugPrivilege	820	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\GoldenSpy (6).exe
"C:\Users\Admin\AppData\Local\Temp\GoldenSpy (6).exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -i
2⤵
- Modifies service
- Executes dropped EXE
PID:1928

C:\Program Files (x86)\svm\svmm.exe
"C:\Program Files (x86)\svm\svmm.exe" -i
2⤵
- Modifies service
- Executes dropped EXE
PID:2120

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:2492

C:\Program Files (x86)\svm\svmm.exe
"C:\Program Files (x86)\svm\svmm.exe" -start
2⤵
- Executes dropped EXE
PID:2568

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Drops file in Program Files directory
- Executes dropped EXE
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 984
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Program Files (x86)\svm\svmm.exe
"C:\Program Files (x86)\svm\svmm.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:4072

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:3060

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:868

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:3360

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:1192

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:2096

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:1920

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:1672

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:376

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:356

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:4028

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:2192

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:3704

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Drops file in Program Files directory
- Executes dropped EXE
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 680
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Drops file in Program Files directory
- Executes dropped EXE
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 668
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Drops file in Program Files directory
- Executes dropped EXE
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 664
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Drops file in Program Files directory
- Executes dropped EXE
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 668
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Drops file in Program Files directory
- Executes dropped EXE
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 668
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Drops file in Program Files directory
- Executes dropped EXE
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 668
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Drops file in Program Files directory
- Executes dropped EXE
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 664
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Drops file in Program Files directory
- Executes dropped EXE
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 676
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Drops file in Program Files directory
- Executes dropped EXE
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 828
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Drops file in Program Files directory
- Executes dropped EXE
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 664
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Drops file in Program Files directory
- Executes dropped EXE
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 676
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Drops file in Program Files directory
- Executes dropped EXE
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 664
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\svm\log\20200702-svm.log

Download Submit
C:\Program Files (x86)\svm\log\20200702-svm.log

Download Submit
C:\Program Files (x86)\svm\log\20200702-svm.log

Download Submit
C:\Program Files (x86)\svm\log\20200702-svm.log

Download Submit
C:\Program Files (x86)\svm\log\20200702-svm.log

Download Submit
C:\Program Files (x86)\svm\log\20200702-svm.log

Download Submit
C:\Program Files (x86)\svm\log\20200702-svm.log

Download Submit
C:\Program Files (x86)\svm\log\20200702-svm.log

Download Submit
C:\Program Files (x86)\svm\log\20200702-svm.log

Download Submit
C:\Program Files (x86)\svm\log\20200702-svm.log

Download Submit
C:\Program Files (x86)\svm\log\20200702-svm.log

Download Submit
C:\Program Files (x86)\svm\log\20200702-svm.log

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svm.exe

Download Submit
C:\Program Files (x86)\svm\svmm.exe

Download Submit
C:\Program Files (x86)\svm\svmm.exe

Download Submit
C:\Program Files (x86)\svm\svmm.exe

Download Submit
C:\Program Files (x86)\svm\svmm.exe

Download Submit
\Users\Admin\AppData\Local\Temp\nsq167D.tmp\processwork.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsq167D.tmp\processwork.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsq167D.tmp\processwork.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsq167D.tmp\processwork.dll

Download Submit
memory/356-136-0x0000000000000000-mapping.dmp

Download
memory/376-129-0x0000000000000000-mapping.dmp

Download
memory/820-214-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/820-215-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/868-25-0x0000000000000000-mapping.dmp

Download
memory/1000-36-0x0000000003A90000-0x0000000003A91000-memory.dmp

Filesize
4KB

Download
memory/1000-38-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/1064-29-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/1064-31-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/1192-39-0x0000000000000000-mapping.dmp

Download
memory/1672-117-0x0000000000000000-mapping.dmp

Download
memory/1772-203-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/1772-207-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/1920-106-0x0000000000000000-mapping.dmp

Download
memory/1928-4-0x0000000000000000-mapping.dmp

Download
memory/2096-51-0x0000000000000000-mapping.dmp

Download
memory/2120-7-0x0000000000000000-mapping.dmp

Download
memory/2148-57-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/2148-55-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download
memory/2192-199-0x0000000000000000-mapping.dmp

Download
memory/2304-43-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2304-47-0x0000000003A50000-0x0000000003A51000-memory.dmp

Filesize
4KB

Download
memory/2304-44-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2492-10-0x0000000000000000-mapping.dmp

Download
memory/2568-12-0x0000000000000000-mapping.dmp

Download
memory/3060-18-0x0000000000000000-mapping.dmp

Download
memory/3360-32-0x0000000000000000-mapping.dmp

Download
memory/3384-143-0x0000000003BD0000-0x0000000003BD1000-memory.dmp

Filesize
4KB

Download
memory/3404-133-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/3404-135-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/3608-127-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/3608-125-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

Filesize
4KB

Download
memory/3608-126-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/3692-114-0x0000000003BD0000-0x0000000003BD1000-memory.dmp

Filesize
4KB

Download
memory/3692-115-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/3692-110-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/3704-210-0x0000000000000000-mapping.dmp

Download
memory/3772-198-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/3772-196-0x0000000003750000-0x0000000003751000-memory.dmp

Filesize
4KB

Download
memory/4000-24-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/4000-23-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/4000-22-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/4028-192-0x0000000000000000-mapping.dmp

Download
memory/4028-17-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/4028-16-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download