205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60

Analysis

max time kernel
119s
max time network
133s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
Size

9.5MB
MD5

0ec29d2e49bae6f922b735be7259d3cc
SHA1

0a806b4918388a56e877ca92559d15725df439f2
SHA256

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60
SHA512

486507b682227fae304280c96a7f6f6ee6a08615cbcbac7754acfd5ee74eb24325ab1cfb8c010b9663cd108b882f78cff9b344515df01c6574e77ac01341be2c

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

E2BFBEC0.EXE92F3DF25.EXEE2BFBEC0.EXE

pid process

1932 E2BFBEC0.EXE
1624 92F3DF25.EXE
992 E2BFBEC0.EXE

pid	process
1932	E2BFBEC0.EXE
1624	92F3DF25.EXE
992	E2BFBEC0.EXE

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

92F3DF25.EXEE2BFBEC0.EXE205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exeE2BFBEC0.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	92F3DF25.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	92F3DF25.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	E2BFBEC0.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	E2BFBEC0.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	E2BFBEC0.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	E2BFBEC0.EXE

Deletes itself 1 IoCs

Processes:

E2BFBEC0.EXE

pid process

1932 E2BFBEC0.EXE

pid	process
1932	E2BFBEC0.EXE

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exeE2BFBEC0.EXEE2BFBEC0.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine	E2BFBEC0.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine	E2BFBEC0.EXE

Loads dropped DLL 4 IoCs

Processes:

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exeE2BFBEC0.EXE92F3DF25.EXE

pid process

2028 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
1932 E2BFBEC0.EXE
1932 E2BFBEC0.EXE
1624 92F3DF25.EXE
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

92F3DF25.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 92F3DF25.EXE
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

92F3DF25.EXE

description ioc process

File opened for modification \??\PhysicalDrive0 92F3DF25.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	92F3DF25.EXE

description	ioc	process
File opened for modification	\??\PhysicalDrive0	92F3DF25.EXE

Drops file in System32 directory 2 IoCs

Processes:

92F3DF25.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\libcrypto-1_1.dll	92F3DF25.EXE
File opened for modification	C:\Windows\SysWOW64\libcrypto-1_1.dll	92F3DF25.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exeE2BFBEC0.EXE92F3DF25.EXEE2BFBEC0.EXE

pid process

2028 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
1932 E2BFBEC0.EXE
1624 92F3DF25.EXE
992 E2BFBEC0.EXE

Drops file in Windows directory 28 IoCs

Processes:

92F3DF25.EXEE2BFBEC0.EXE

description	ioc	process
File opened for modification	C:\Windows\Prefetch\AgGlFaultHistory.db	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\AgGlFgAppHistory.db	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\CMD.EXE-4A81B364.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\ReadyBoot\ReadyBoot.etl	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-860C49A4.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\SPPSVC.EXE-B0F8131B.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\ReadyBoot\ReadyBoot.etl	E2BFBEC0.EXE
File opened for modification	C:\Windows\Prefetch\DRVINST.EXE-4CB4314A.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-863AA78D.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\SETUPUGC.EXE-E3C49C28.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\AgGlGlobalHistory.db	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\CLRGC.EXE-5D5B90F5.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\NETSH.EXE-F1B6DA12.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\TASKHOST.EXE-7238F31D.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\AgAppLaunch.db	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\BFSVC.EXE-9C7A4DEE.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\MSCORSVW.EXE-245ED79E.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\PfSvPerfStats.bin	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\ReadyBoot	E2BFBEC0.EXE
File opened for modification	C:\Windows\Prefetch\AgRobust.db	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\ReadyBoot	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\NTOSBOOT-B00DFAAD.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-2CD59FDD.pf	92F3DF25.EXE
File opened for modification	C:\Windows\Prefetch\	E2BFBEC0.EXE

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

92F3DF25.EXEE2BFBEC0.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	92F3DF25.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	E2BFBEC0.EXE

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

E2BFBEC0.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	E2BFBEC0.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	E2BFBEC0.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	E2BFBEC0.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	E2BFBEC0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	E2BFBEC0.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	E2BFBEC0.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exeE2BFBEC0.EXE92F3DF25.EXEE2BFBEC0.EXE

pid process

2028 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
1932 E2BFBEC0.EXE
1624 92F3DF25.EXE
992 E2BFBEC0.EXE
992 E2BFBEC0.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

92F3DF25.EXEAUDIODG.EXEE2BFBEC0.EXE

description	pid	process
Token: SeDebugPrivilege	1624	92F3DF25.EXE
Token: 33	1176	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1176	AUDIODG.EXE
Token: 33	1176	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1176	AUDIODG.EXE
Token: SeDebugPrivilege	992	E2BFBEC0.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

92F3DF25.EXEE2BFBEC0.EXE

pid process

1624 92F3DF25.EXE
1624 92F3DF25.EXE
1624 92F3DF25.EXE
1624 92F3DF25.EXE
992 E2BFBEC0.EXE
992 E2BFBEC0.EXE
992 E2BFBEC0.EXE
992 E2BFBEC0.EXE
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

92F3DF25.EXEE2BFBEC0.EXE

pid process

1624 92F3DF25.EXE
1624 92F3DF25.EXE
1624 92F3DF25.EXE
1624 92F3DF25.EXE
992 E2BFBEC0.EXE
992 E2BFBEC0.EXE
992 E2BFBEC0.EXE
992 E2BFBEC0.EXE

pid	process
1624	92F3DF25.EXE
1624	92F3DF25.EXE
1624	92F3DF25.EXE
1624	92F3DF25.EXE
992	E2BFBEC0.EXE
992	E2BFBEC0.EXE
992	E2BFBEC0.EXE
992	E2BFBEC0.EXE

pid	process
1624	92F3DF25.EXE
1624	92F3DF25.EXE
1624	92F3DF25.EXE
1624	92F3DF25.EXE
992	E2BFBEC0.EXE
992	E2BFBEC0.EXE
992	E2BFBEC0.EXE
992	E2BFBEC0.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exeE2BFBEC0.EXE92F3DF25.EXEE2BFBEC0.EXE

pid	process
2028	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
2028	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
1932	E2BFBEC0.EXE
1932	E2BFBEC0.EXE
1624	92F3DF25.EXE
1624	92F3DF25.EXE
1624	92F3DF25.EXE
1624	92F3DF25.EXE
992	E2BFBEC0.EXE
992	E2BFBEC0.EXE
992	E2BFBEC0.EXE
992	E2BFBEC0.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exeE2BFBEC0.EXE92F3DF25.EXE

description	pid	process	target process
PID 2028 wrote to memory of 1512	2028	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	sc.exe
PID 2028 wrote to memory of 1512	2028	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	sc.exe
PID 2028 wrote to memory of 1512	2028	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	sc.exe
PID 2028 wrote to memory of 1512	2028	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	sc.exe
PID 2028 wrote to memory of 1932	2028	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	E2BFBEC0.EXE
PID 2028 wrote to memory of 1932	2028	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	E2BFBEC0.EXE
PID 2028 wrote to memory of 1932	2028	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	E2BFBEC0.EXE
PID 2028 wrote to memory of 1932	2028	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	E2BFBEC0.EXE
PID 1932 wrote to memory of 1076	1932	E2BFBEC0.EXE	sc.exe
PID 1932 wrote to memory of 1076	1932	E2BFBEC0.EXE	sc.exe
PID 1932 wrote to memory of 1076	1932	E2BFBEC0.EXE	sc.exe
PID 1932 wrote to memory of 1076	1932	E2BFBEC0.EXE	sc.exe
PID 1932 wrote to memory of 1624	1932	E2BFBEC0.EXE	92F3DF25.EXE
PID 1932 wrote to memory of 1624	1932	E2BFBEC0.EXE	92F3DF25.EXE
PID 1932 wrote to memory of 1624	1932	E2BFBEC0.EXE	92F3DF25.EXE
PID 1932 wrote to memory of 1624	1932	E2BFBEC0.EXE	92F3DF25.EXE
PID 1624 wrote to memory of 992	1624	92F3DF25.EXE	E2BFBEC0.EXE
PID 1624 wrote to memory of 992	1624	92F3DF25.EXE	E2BFBEC0.EXE
PID 1624 wrote to memory of 992	1624	92F3DF25.EXE	E2BFBEC0.EXE
PID 1624 wrote to memory of 992	1624	92F3DF25.EXE	E2BFBEC0.EXE

C:\Users\Admin\AppData\Local\Temp\205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
"C:\Users\Admin\AppData\Local\Temp\205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config Winmgmt start=auto
2⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\E2BFBEC0.EXE
"C:\Users\Admin\AppData\Local\Temp\E2BFBEC0.EXE" C:\Users\Admin\AppData\Local\Temp\205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Deletes itself
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config Winmgmt start=auto
3⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\92F3DF25.EXE
"C:\Users\Admin\AppData\Local\Temp\92F3DF25.EXE"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\E2BFBEC0.EXE
"C:\Users\Admin\AppData\Local\Temp\E2BFBEC0.EXE" C:\Users\Admin\AppData\Local\Temp\92F3DF25.EXE
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x560
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
876bb087b3eb935a4da2e5e7b74dc034

SHA1
3a4887eefbec2a9c06fac1f54ac0e91d96878e15

SHA256
0b332fabb7d73fba30142fb2a062431ac432bd49fbf7bd71416b00a368770e64

SHA512
98fdf68279a4eb3b26e0fdab0ed19a516d6ceab3e809b3dff0a770238e18b83963e510368a326f0ab87fd669bfaeceb2e395b246aed1f1bcaba8a882487fd4a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_665120A0D9C414754DD0F4487D79F885
Filesize
472B

MD5
e67f07efe64e042f3d0002b701b185c1

SHA1
76c83ee5886c59f4b9c921afc01687534cdbe397

SHA256
b0aa13e6d7b664cdf7129fda741441dfe9d93d09dd2347efa69e36e4c0687b3e

SHA512
e2f24cd78d0671495dacb2d76e81cd1d63abf177cfb5abd870ae4d44921c1ecf986c7b6fdebf922b2b694807c93f34bc967a1ae858d6595f0969276d23a6e0f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
069f8318ff124e4161c5d1fcdfa8388a

SHA1
8e5a70e5a6db9e414d353aafe906fdce1dd3824e

SHA256
1f39920238e192c02c9e341e27266125a4c9a4d0a900dd0d1d13b3700d721b4e

SHA512
f2c72d1f73d797ae1a5c3ce1a30a185907770563e2eead6bb8c2f58a8fa7594d0b522047b874dcea8dec6fb2a636d5a34d246ecf1db726aee751354e78c3a703

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
46ceb029457ce377929ef62e3e8bd355

SHA1
4aa3a060a0653f89baf1d64e98d8b75d3ba714f3

SHA256
1062c2216221e7c6e5f2a6ab7ab6ae7e77f76b996f4b75e523b0092ce4b316fd

SHA512
478f170b0a78350bedb9c000993a554f730183e67bfb7edc87c3ad404b169420421f3a5b7a8f474cec523cd02fbbd0eab2916adb825555eb74fb34129c789eb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
68b44b2b9c36b8a512a8a7d873de069f

SHA1
05a721bad269cfb23998e2ca6de34bd141821b40

SHA256
e94c8d847ef79cc8dfef2abde5a21d3b329f1fb47d184e92d3953a2535d7abe6

SHA512
a6fe011f9ca8398be70f4726c974cf65f6c07a9ac00b726d57b7147da3248f82c8e7e3a9d40618482d92a7f6bebd903261fccea9aebbd004767139d1cfb03d1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_665120A0D9C414754DD0F4487D79F885
Filesize
406B

MD5
9414cbfb8ace6d78b6753e1ff22edf8e

SHA1
c09ea97afe40e175830ae4c8128f62d82c32453b

SHA256
bfc3f6cefc84a3e2cb9d71a0572bb0c362bbae5d1ec95154ac89c14f141e0911

SHA512
0bd1aa6ecd339d9e78b6371b1ab3ab5388d9fdcffcf768faea65d930b3eabadaf8074d50612caf269050ec945c930a39d6b7ae14648b0568935f4e371dc06171

Download Submit
C:\Users\Admin\AppData\Local\Temp\92F3DF25.EXE
Filesize
7.5MB

MD5
d17fedcbd09fb98051fcf96da18a8aac

SHA1
6a523cff8b733d02ad9f65028b994fdc470897c8

SHA256
ff374aeb654183a0b28d453bbc33cfc01148167a61b05e9aeff600e227475cf7

SHA512
23d5f522da1609159fdb6ff9eba9d443a4f0f9819b517c6e5a9813e9eee571ab94c00c80eedfa9a4883c84b02acf4f0db2c5099c83a3cda649ec1b5572f9f095

Download Submit
C:\Users\Admin\AppData\Local\Temp\92F3DF25.EXE
Filesize
7.5MB

MD5
d17fedcbd09fb98051fcf96da18a8aac

SHA1
6a523cff8b733d02ad9f65028b994fdc470897c8

SHA256
ff374aeb654183a0b28d453bbc33cfc01148167a61b05e9aeff600e227475cf7

SHA512
23d5f522da1609159fdb6ff9eba9d443a4f0f9819b517c6e5a9813e9eee571ab94c00c80eedfa9a4883c84b02acf4f0db2c5099c83a3cda649ec1b5572f9f095

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2BFBEC0.EXE
Filesize
7.0MB

MD5
7ec4a713694d351a0a8cb0bace19be2f

SHA1
de0da87dff6f4563b0e716c5533231e58c844a40

SHA256
7ce16dd164e7e6afa8958e993583a5edee588c89717d57c1b9d18175b7723806

SHA512
9ebe7825e90fdb33cbd53c2af7ba52c19661f2edae2464932ba00054dfd291d32d69a846d07a439653a29aaa959b5985265728f6fec749401c35894b780c7f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2BFBEC0.EXE
Filesize
7.0MB

MD5
7ec4a713694d351a0a8cb0bace19be2f

SHA1
de0da87dff6f4563b0e716c5533231e58c844a40

SHA256
7ce16dd164e7e6afa8958e993583a5edee588c89717d57c1b9d18175b7723806

SHA512
9ebe7825e90fdb33cbd53c2af7ba52c19661f2edae2464932ba00054dfd291d32d69a846d07a439653a29aaa959b5985265728f6fec749401c35894b780c7f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2BFBEC0.EXE
Filesize
9.5MB

MD5
0ec29d2e49bae6f922b735be7259d3cc

SHA1
0a806b4918388a56e877ca92559d15725df439f2

SHA256
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60

SHA512
486507b682227fae304280c96a7f6f6ee6a08615cbcbac7754acfd5ee74eb24325ab1cfb8c010b9663cd108b882f78cff9b344515df01c6574e77ac01341be2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2BFBEC0.EXE
Filesize
9.5MB

MD5
0ec29d2e49bae6f922b735be7259d3cc

SHA1
0a806b4918388a56e877ca92559d15725df439f2

SHA256
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60

SHA512
486507b682227fae304280c96a7f6f6ee6a08615cbcbac7754acfd5ee74eb24325ab1cfb8c010b9663cd108b882f78cff9b344515df01c6574e77ac01341be2c

Download Submit
C:\Windows\SysWOW64\libcrypto-1_1.dll
Filesize
2.4MB

MD5
c58b2589b88c5da34df20f737b7ac50c

SHA1
05ed6edafd5342b546fb5d5a6162695f11f5d4da

SHA256
49b26d14cf68a370de47f8f3724e46e61bff98aba7dd7b8a7c1f87e83bb44064

SHA512
4e2db4133fdb69dcc7a03201810b10cf9519dd7cdea8ff3fc496779d84556502cdb562d67f60a0503493705b622d1cb772fc9acb4935aa4fb6a6cbdf7b4b211f

Download Submit
\Users\Admin\AppData\Local\Temp\92F3DF25.EXE
Filesize
7.5MB

MD5
d17fedcbd09fb98051fcf96da18a8aac

SHA1
6a523cff8b733d02ad9f65028b994fdc470897c8

SHA256
ff374aeb654183a0b28d453bbc33cfc01148167a61b05e9aeff600e227475cf7

SHA512
23d5f522da1609159fdb6ff9eba9d443a4f0f9819b517c6e5a9813e9eee571ab94c00c80eedfa9a4883c84b02acf4f0db2c5099c83a3cda649ec1b5572f9f095

Download Submit
\Users\Admin\AppData\Local\Temp\92F3DF25.EXE
Filesize
7.5MB

MD5
d17fedcbd09fb98051fcf96da18a8aac

SHA1
6a523cff8b733d02ad9f65028b994fdc470897c8

SHA256
ff374aeb654183a0b28d453bbc33cfc01148167a61b05e9aeff600e227475cf7

SHA512
23d5f522da1609159fdb6ff9eba9d443a4f0f9819b517c6e5a9813e9eee571ab94c00c80eedfa9a4883c84b02acf4f0db2c5099c83a3cda649ec1b5572f9f095

Download Submit
\Users\Admin\AppData\Local\Temp\E2BFBEC0.EXE
Filesize
7.0MB

MD5
7ec4a713694d351a0a8cb0bace19be2f

SHA1
de0da87dff6f4563b0e716c5533231e58c844a40

SHA256
7ce16dd164e7e6afa8958e993583a5edee588c89717d57c1b9d18175b7723806

SHA512
9ebe7825e90fdb33cbd53c2af7ba52c19661f2edae2464932ba00054dfd291d32d69a846d07a439653a29aaa959b5985265728f6fec749401c35894b780c7f38

Download Submit
\Users\Admin\AppData\Local\Temp\E2BFBEC0.EXE
Filesize
9.5MB

MD5
0ec29d2e49bae6f922b735be7259d3cc

SHA1
0a806b4918388a56e877ca92559d15725df439f2

SHA256
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60

SHA512
486507b682227fae304280c96a7f6f6ee6a08615cbcbac7754acfd5ee74eb24325ab1cfb8c010b9663cd108b882f78cff9b344515df01c6574e77ac01341be2c

Download Submit
memory/992-94-0x0000000000000000-mapping.dmp

Download
memory/992-113-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/992-124-0x0000000000400000-0x000000000111B000-memory.dmp

Filesize
13.1MB

Download
memory/992-123-0x0000000005641000-0x00000000064ED000-memory.dmp

Filesize
14.7MB

Download
memory/992-119-0x0000000077A20000-0x0000000077BA0000-memory.dmp

Filesize
1.5MB

Download
memory/992-116-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/992-115-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/992-103-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/992-105-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/992-104-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/992-106-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/992-107-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/992-108-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/992-109-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/992-110-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/992-111-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/992-112-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/992-114-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1076-71-0x0000000000000000-mapping.dmp

Download
memory/1512-60-0x0000000000000000-mapping.dmp

Download
memory/1624-87-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1624-78-0x0000000000400000-0x00000000015C0000-memory.dmp

Filesize
17.8MB

Download
memory/1624-74-0x0000000000000000-mapping.dmp

Download
memory/1624-79-0x0000000000400000-0x00000000015C0000-memory.dmp

Filesize
17.8MB

Download
memory/1624-81-0x0000000000401000-0x00000000004A4000-memory.dmp

Filesize
652KB

Download
memory/1624-85-0x0000000006AA1000-0x000000000794D000-memory.dmp

Filesize
14.7MB

Download
memory/1624-80-0x0000000077A20000-0x0000000077BA0000-memory.dmp

Filesize
1.5MB

Download
memory/1932-70-0x0000000000400000-0x000000000106E000-memory.dmp

Filesize
12.4MB

Download
memory/1932-69-0x0000000077A20000-0x0000000077BA0000-memory.dmp

Filesize
1.5MB

Download
memory/1932-62-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/2028-59-0x0000000000400000-0x000000000106E000-memory.dmp

Filesize
12.4MB

Download
memory/2028-58-0x0000000077A20000-0x0000000077BA0000-memory.dmp

Filesize
1.5MB

Download