abac9b724c6d13aa90b5484b7c424c1505f9f7d58504954bb3ed9b718a448991

Analysis

max time kernel
149s
max time network
166s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-07-2022 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trojan/3.exe
Size

376KB
MD5

ee39fe5532bdf8daa98b723c901896f9
SHA1

74b487e2817f4f18deaa13ba02e33f6dea688469
SHA256

97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050
SHA512

badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Fun.exeSVIQ.EXEdc.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exe3.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	dc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe

Executes dropped EXE 50 IoCs

Processes:

Fun.exeSVIQ.EXEdc.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXE

pid	process
1244	Fun.exe
1684	SVIQ.EXE
540	dc.exe
848	Fun.exe
1592	SVIQ.EXE
1584	Fun.exe
1636	SVIQ.EXE
432	Fun.exe
1540	SVIQ.EXE
1800	Fun.exe
1552	SVIQ.EXE
2000	Fun.exe
1036	SVIQ.EXE
956	Fun.exe
1232	SVIQ.EXE
1344	Fun.exe
1812	SVIQ.EXE
1432	Fun.exe
1484	SVIQ.EXE
1248	Fun.exe
1464	Fun.exe
1708	SVIQ.EXE
1676	Fun.exe
1668	SVIQ.EXE
756	Fun.exe
1876	SVIQ.EXE
1952	Fun.exe
848	SVIQ.EXE
640	Fun.exe
1736	SVIQ.EXE
1612	Fun.exe
1644	SVIQ.EXE
1232	Fun.exe
324	Fun.exe
1632	Fun.exe
1488	Fun.exe
1184	Fun.exe
1080	Fun.exe
1988	Fun.exe
1992	SVIQ.EXE
776	Fun.exe
1856	SVIQ.EXE
1936	Fun.exe
1784	SVIQ.EXE
1712	Fun.exe
1244	SVIQ.EXE
1312	Fun.exe
1616	SVIQ.EXE
1696	Fun.exe
1640	SVIQ.EXE

Loads dropped DLL 29 IoCs

Processes:

3.exedc.exeSVIQ.EXE

pid	process
1436	3.exe
1436	3.exe
540	dc.exe
1684	SVIQ.EXE
540	dc.exe
1684	SVIQ.EXE
540	dc.exe
1684	SVIQ.EXE
540	dc.exe
1684	SVIQ.EXE
1684	SVIQ.EXE
540	dc.exe
540	dc.exe
1684	SVIQ.EXE
540	dc.exe
1684	SVIQ.EXE
540	dc.exe
1684	SVIQ.EXE
540	dc.exe
540	dc.exe
1684	SVIQ.EXE
1684	SVIQ.EXE
540	dc.exe
1684	SVIQ.EXE
1684	SVIQ.EXE
540	dc.exe
1684	SVIQ.EXE
540	dc.exe
1684	SVIQ.EXE

Adds Run key to start application 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Fun.exedc.exeFun.exeFun.exeFun.exeFun.exeFun.exeSVIQ.EXEFun.exeFun.exeFun.exe3.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	3.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	3.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	3.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	dc.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	dc.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe

Drops file in System32 directory 50 IoCs

Processes:

Fun.exeFun.exe3.exeFun.exeFun.exedc.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeSVIQ.EXEFun.exeFun.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File created	C:\Windows\SysWOW64\WinSit.exe	3.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	dc.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File created	C:\Windows\SysWOW64\config\Win.exe	3.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	3.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	SVIQ.EXE
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	3.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	SVIQ.EXE
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	dc.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe

Drops file in Windows directory 64 IoCs

Processes:

Fun.exeFun.exeFun.exeFun.exedc.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exe3.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeSVIQ.EXE

description	ioc	process
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\dc.exe	dc.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	3.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\Help\Other.exe	3.exe
File created	C:\Windows\SVIQ.EXE	dc.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	3.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	3.exe
File created	C:\Windows\system\Fun.exe	SVIQ.EXE
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	SVIQ.EXE
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\system\Fun.exe	dc.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\inf\Other.exe	3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3.exeFun.exeSVIQ.EXEdc.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXE

pid	process
1436	3.exe
1436	3.exe
1244	Fun.exe
1684	SVIQ.EXE
540	dc.exe
1684	SVIQ.EXE
540	dc.exe
1244	Fun.exe
1436	3.exe
1684	SVIQ.EXE
540	dc.exe
1244	Fun.exe
1684	SVIQ.EXE
540	dc.exe
1244	Fun.exe
1684	SVIQ.EXE
1244	Fun.exe
540	dc.exe
1684	SVIQ.EXE
540	dc.exe
1244	Fun.exe
1684	SVIQ.EXE
1244	Fun.exe
540	dc.exe
1684	SVIQ.EXE
540	dc.exe
1244	Fun.exe
1684	SVIQ.EXE
1244	Fun.exe
540	dc.exe
1684	SVIQ.EXE
540	dc.exe
1244	Fun.exe
1684	SVIQ.EXE
1244	Fun.exe
540	dc.exe
1684	SVIQ.EXE
540	dc.exe
1244	Fun.exe
1684	SVIQ.EXE
1244	Fun.exe
540	dc.exe
1684	SVIQ.EXE
540	dc.exe
848	Fun.exe
1592	SVIQ.EXE
1684	SVIQ.EXE
1584	Fun.exe
1636	SVIQ.EXE
540	dc.exe
432	Fun.exe
1540	SVIQ.EXE
1684	SVIQ.EXE
1800	Fun.exe
1552	SVIQ.EXE
540	dc.exe
2000	Fun.exe
1036	SVIQ.EXE
1684	SVIQ.EXE
956	Fun.exe
1232	SVIQ.EXE
540	dc.exe
1344	Fun.exe
1812	SVIQ.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

3.exeFun.exeSVIQ.EXEdc.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exe

pid	process
1436	3.exe
1436	3.exe
1244	Fun.exe
1244	Fun.exe
1684	SVIQ.EXE
1684	SVIQ.EXE
540	dc.exe
540	dc.exe
848	Fun.exe
848	Fun.exe
1592	SVIQ.EXE
1592	SVIQ.EXE
1584	Fun.exe
1584	Fun.exe
1636	SVIQ.EXE
1636	SVIQ.EXE
432	Fun.exe
432	Fun.exe
1540	SVIQ.EXE
1540	SVIQ.EXE
1800	Fun.exe
1800	Fun.exe
1552	SVIQ.EXE
1552	SVIQ.EXE
2000	Fun.exe
2000	Fun.exe
1036	SVIQ.EXE
1036	SVIQ.EXE
956	Fun.exe
956	Fun.exe
1232	SVIQ.EXE
1232	SVIQ.EXE
1344	Fun.exe
1344	Fun.exe
1812	SVIQ.EXE
1812	SVIQ.EXE
1432	Fun.exe
1432	Fun.exe
1484	SVIQ.EXE
1484	SVIQ.EXE
1248	Fun.exe
1464	Fun.exe
1248	Fun.exe
1464	Fun.exe
1708	SVIQ.EXE
1708	SVIQ.EXE
1676	Fun.exe
1676	Fun.exe
1668	SVIQ.EXE
1668	SVIQ.EXE
756	Fun.exe
756	Fun.exe
1876	SVIQ.EXE
1876	SVIQ.EXE
1952	Fun.exe
1952	Fun.exe
848	SVIQ.EXE
848	SVIQ.EXE
640	Fun.exe
640	Fun.exe
1736	SVIQ.EXE
1736	SVIQ.EXE
1612	Fun.exe
1612	Fun.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3.exeFun.exedc.exeFun.exeSVIQ.EXEFun.exeFun.exeFun.exeFun.exeFun.exe

description	pid	process	target process
PID 1436 wrote to memory of 1244	1436	3.exe	Fun.exe
PID 1436 wrote to memory of 1244	1436	3.exe	Fun.exe
PID 1436 wrote to memory of 1244	1436	3.exe	Fun.exe
PID 1436 wrote to memory of 1244	1436	3.exe	Fun.exe
PID 1244 wrote to memory of 1684	1244	Fun.exe	SVIQ.EXE
PID 1244 wrote to memory of 1684	1244	Fun.exe	SVIQ.EXE
PID 1244 wrote to memory of 1684	1244	Fun.exe	SVIQ.EXE
PID 1244 wrote to memory of 1684	1244	Fun.exe	SVIQ.EXE
PID 1436 wrote to memory of 540	1436	3.exe	dc.exe
PID 1436 wrote to memory of 540	1436	3.exe	dc.exe
PID 1436 wrote to memory of 540	1436	3.exe	dc.exe
PID 1436 wrote to memory of 540	1436	3.exe	dc.exe
PID 540 wrote to memory of 848	540	dc.exe	Fun.exe
PID 540 wrote to memory of 848	540	dc.exe	Fun.exe
PID 540 wrote to memory of 848	540	dc.exe	Fun.exe
PID 540 wrote to memory of 848	540	dc.exe	Fun.exe
PID 848 wrote to memory of 1592	848	Fun.exe	SVIQ.EXE
PID 848 wrote to memory of 1592	848	Fun.exe	SVIQ.EXE
PID 848 wrote to memory of 1592	848	Fun.exe	SVIQ.EXE
PID 848 wrote to memory of 1592	848	Fun.exe	SVIQ.EXE
PID 1684 wrote to memory of 1584	1684	SVIQ.EXE	Fun.exe
PID 1684 wrote to memory of 1584	1684	SVIQ.EXE	Fun.exe
PID 1684 wrote to memory of 1584	1684	SVIQ.EXE	Fun.exe
PID 1684 wrote to memory of 1584	1684	SVIQ.EXE	Fun.exe
PID 1584 wrote to memory of 1636	1584	Fun.exe	SVIQ.EXE
PID 1584 wrote to memory of 1636	1584	Fun.exe	SVIQ.EXE
PID 1584 wrote to memory of 1636	1584	Fun.exe	SVIQ.EXE
PID 1584 wrote to memory of 1636	1584	Fun.exe	SVIQ.EXE
PID 540 wrote to memory of 432	540	dc.exe	Fun.exe
PID 540 wrote to memory of 432	540	dc.exe	Fun.exe
PID 540 wrote to memory of 432	540	dc.exe	Fun.exe
PID 540 wrote to memory of 432	540	dc.exe	Fun.exe
PID 432 wrote to memory of 1540	432	Fun.exe	SVIQ.EXE
PID 432 wrote to memory of 1540	432	Fun.exe	SVIQ.EXE
PID 432 wrote to memory of 1540	432	Fun.exe	SVIQ.EXE
PID 432 wrote to memory of 1540	432	Fun.exe	SVIQ.EXE
PID 1684 wrote to memory of 1800	1684	SVIQ.EXE	Fun.exe
PID 1684 wrote to memory of 1800	1684	SVIQ.EXE	Fun.exe
PID 1684 wrote to memory of 1800	1684	SVIQ.EXE	Fun.exe
PID 1684 wrote to memory of 1800	1684	SVIQ.EXE	Fun.exe
PID 1800 wrote to memory of 1552	1800	Fun.exe	SVIQ.EXE
PID 1800 wrote to memory of 1552	1800	Fun.exe	SVIQ.EXE
PID 1800 wrote to memory of 1552	1800	Fun.exe	SVIQ.EXE
PID 1800 wrote to memory of 1552	1800	Fun.exe	SVIQ.EXE
PID 540 wrote to memory of 2000	540	dc.exe	Fun.exe
PID 540 wrote to memory of 2000	540	dc.exe	Fun.exe
PID 540 wrote to memory of 2000	540	dc.exe	Fun.exe
PID 540 wrote to memory of 2000	540	dc.exe	Fun.exe
PID 2000 wrote to memory of 1036	2000	Fun.exe	SVIQ.EXE
PID 2000 wrote to memory of 1036	2000	Fun.exe	SVIQ.EXE
PID 2000 wrote to memory of 1036	2000	Fun.exe	SVIQ.EXE
PID 2000 wrote to memory of 1036	2000	Fun.exe	SVIQ.EXE
PID 1684 wrote to memory of 956	1684	SVIQ.EXE	Fun.exe
PID 1684 wrote to memory of 956	1684	SVIQ.EXE	Fun.exe
PID 1684 wrote to memory of 956	1684	SVIQ.EXE	Fun.exe
PID 1684 wrote to memory of 956	1684	SVIQ.EXE	Fun.exe
PID 956 wrote to memory of 1232	956	Fun.exe	SVIQ.EXE
PID 956 wrote to memory of 1232	956	Fun.exe	SVIQ.EXE
PID 956 wrote to memory of 1232	956	Fun.exe	SVIQ.EXE
PID 956 wrote to memory of 1232	956	Fun.exe	SVIQ.EXE
PID 540 wrote to memory of 1344	540	dc.exe	Fun.exe
PID 540 wrote to memory of 1344	540	dc.exe	Fun.exe
PID 540 wrote to memory of 1344	540	dc.exe	Fun.exe
PID 540 wrote to memory of 1344	540	dc.exe	Fun.exe

C:\Users\Admin\AppData\Local\Temp\trojan\3.exe
"C:\Users\Admin\AppData\Local\Temp\trojan\3.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:756

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:640

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Executes dropped EXE
PID:1232

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Executes dropped EXE
PID:1632

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Executes dropped EXE
PID:1080

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1988

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
PID:1992

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:776

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
PID:1856

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1712

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
PID:1244

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1696

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
PID:1640

C:\Windows\dc.exe
C:\Windows\dc.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1248

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:848

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
PID:1644

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Executes dropped EXE
PID:324

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Executes dropped EXE
PID:1488

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Executes dropped EXE
PID:1184

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1936

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
PID:1784

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1312

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\Help\Other.exe
Filesize
63KB

MD5
6923eec062cccaa8f96945f36d8177ac

SHA1
3ea89f2dd031051625da93ee221a3defa350a23d

SHA256
551f5679373193a61b76adede3ac027e1e314e402a9e1a57ee0634d412d7c16c

SHA512
13e99e347297a04ee721e7d09a3f2f6c60dfc6ba3705d820bf7886f4f6c26e919c42eeddf3c68bbbd1bd019579b770f3e742854d2cae13ef54e7e8a449d6b694

Download Submit
C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
63KB

MD5
6923eec062cccaa8f96945f36d8177ac

SHA1
3ea89f2dd031051625da93ee221a3defa350a23d

SHA256
551f5679373193a61b76adede3ac027e1e314e402a9e1a57ee0634d412d7c16c

SHA512
13e99e347297a04ee721e7d09a3f2f6c60dfc6ba3705d820bf7886f4f6c26e919c42eeddf3c68bbbd1bd019579b770f3e742854d2cae13ef54e7e8a449d6b694

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\dc.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\dc.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\dc.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\dc.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\inf\Other.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
memory/324-322-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/324-315-0x0000000000000000-mapping.dmp

Download
memory/432-162-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/432-146-0x0000000000000000-mapping.dmp

Download
memory/540-90-0x0000000000000000-mapping.dmp

Download
memory/540-259-0x0000000001EC0000-0x0000000001F3A000-memory.dmp

Filesize
488KB

Download
memory/540-176-0x0000000001EC0000-0x0000000001F3A000-memory.dmp

Filesize
488KB

Download
memory/540-102-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/540-124-0x0000000001EC0000-0x0000000001F3A000-memory.dmp

Filesize
488KB

Download
memory/540-304-0x0000000001EC0000-0x0000000001F3A000-memory.dmp

Filesize
488KB

Download
memory/640-291-0x0000000000000000-mapping.dmp

Download
memory/756-268-0x0000000000000000-mapping.dmp

Download
memory/756-278-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/776-356-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/776-353-0x0000000000000000-mapping.dmp

Download
memory/848-106-0x0000000000000000-mapping.dmp

Download
memory/848-288-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/848-284-0x0000000000000000-mapping.dmp

Download
memory/848-123-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/956-214-0x0000000000650000-0x00000000006CA000-memory.dmp

Filesize
488KB

Download
memory/956-203-0x0000000000000000-mapping.dmp

Download
memory/956-213-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/956-215-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1036-200-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1036-196-0x0000000000000000-mapping.dmp

Download
memory/1080-333-0x0000000000000000-mapping.dmp

Download
memory/1080-340-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1080-343-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1184-334-0x0000000000000000-mapping.dmp

Download
memory/1184-339-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1232-207-0x0000000000000000-mapping.dmp

Download
memory/1232-211-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1232-314-0x0000000000000000-mapping.dmp

Download
memory/1244-104-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1244-60-0x0000000000000000-mapping.dmp

Download
memory/1244-79-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1244-381-0x0000000000000000-mapping.dmp

Download
memory/1244-100-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1248-245-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1248-240-0x0000000000000000-mapping.dmp

Download
memory/1312-388-0x0000000000000000-mapping.dmp

Download
memory/1344-216-0x0000000000000000-mapping.dmp

Download
memory/1344-226-0x00000000025A0000-0x00000000025A2000-memory.dmp

Filesize
8KB

Download
memory/1344-225-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1432-230-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1432-227-0x0000000000000000-mapping.dmp

Download
memory/1436-101-0x00000000033E0000-0x000000000345A000-memory.dmp

Filesize
488KB

Download
memory/1436-57-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1436-75-0x00000000033E0000-0x000000000345A000-memory.dmp

Filesize
488KB

Download
memory/1436-103-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1436-77-0x00000000033E0000-0x000000000345A000-memory.dmp

Filesize
488KB

Download
memory/1464-239-0x0000000000000000-mapping.dmp

Download
memory/1464-246-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1484-235-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1484-237-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1484-232-0x0000000000000000-mapping.dmp

Download
memory/1488-323-0x0000000000000000-mapping.dmp

Download
memory/1540-156-0x0000000000000000-mapping.dmp

Download
memory/1552-182-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1552-174-0x0000000000000000-mapping.dmp

Download
memory/1552-183-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1584-126-0x0000000000000000-mapping.dmp

Download
memory/1584-143-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1592-116-0x0000000000000000-mapping.dmp

Download
memory/1592-121-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1612-301-0x0000000000000000-mapping.dmp

Download
memory/1612-305-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1616-392-0x0000000000000000-mapping.dmp

Download
memory/1632-331-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1632-324-0x0000000000000000-mapping.dmp

Download
memory/1636-136-0x0000000000000000-mapping.dmp

Download
memory/1636-141-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1640-402-0x0000000000000000-mapping.dmp

Download
memory/1644-307-0x0000000000000000-mapping.dmp

Download
memory/1644-312-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1644-310-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1668-262-0x0000000000000000-mapping.dmp

Download
memory/1676-267-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1676-256-0x0000000000000000-mapping.dmp

Download
memory/1676-260-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1684-144-0x0000000003380000-0x00000000033FA000-memory.dmp

Filesize
488KB

Download
memory/1684-178-0x0000000003380000-0x00000000033FA000-memory.dmp

Filesize
488KB

Download
memory/1684-81-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1684-73-0x0000000000000000-mapping.dmp

Download
memory/1684-332-0x0000000003480000-0x00000000034FA000-memory.dmp

Filesize
488KB

Download
memory/1696-398-0x0000000000000000-mapping.dmp

Download
memory/1708-254-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1708-249-0x0000000000000000-mapping.dmp

Download
memory/1708-252-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1712-376-0x0000000000000000-mapping.dmp

Download
memory/1736-299-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1736-295-0x0000000000000000-mapping.dmp

Download
memory/1784-370-0x0000000000000000-mapping.dmp

Download
memory/1800-164-0x0000000000000000-mapping.dmp

Download
memory/1800-185-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1800-180-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1812-220-0x0000000000000000-mapping.dmp

Download
memory/1856-363-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1856-361-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1856-358-0x0000000000000000-mapping.dmp

Download
memory/1876-276-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1876-272-0x0000000000000000-mapping.dmp

Download
memory/1936-365-0x0000000000000000-mapping.dmp

Download
memory/1936-368-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1936-375-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1952-290-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1952-279-0x0000000000000000-mapping.dmp

Download
memory/1952-282-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1988-352-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1988-347-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1988-344-0x0000000000000000-mapping.dmp

Download
memory/1992-350-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1992-349-0x0000000000000000-mapping.dmp

Download
memory/2000-202-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2000-187-0x0000000000000000-mapping.dmp

Download