f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237

Analysis

max time kernel
34s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
Size

725KB
MD5

080b826aa20d1af44d0004f3f8dc3420
SHA1

fb5bfc73eea105b209b164a2157080be6da6b2e3
SHA256

f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237
SHA512

249927fbf1ef5ac6388920cbcb428ef2bfe5804d94d48e3ba6a15d23cf61f5018f073d2a50c07dc24ecc9548eaaea5a21b737fbe6f23e7f7b8a30673744c4f77
SSDEEP

12288:an/FJz6EkQEokBVr4U7VJwy0CgRs/t/hEughoeMqLE0BiTZmy+jt3/K8:an/kQEoDUxCy0i5Eughoe9I08m3x/

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\BCgIoEUY\\fokocMks.exe,"	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\BCgIoEUY\\fokocMks.exe,"	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe

Executes dropped EXE 6 IoCs

pid	Process
1496	CEEcskkc.exe
2148	fokocMks.exe
2488	WWoEUsAc.exe
2368	CEEcskkc.exe
2060	fokocMks.exe
3064	WWoEUsAc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fokocMks.exe = "C:\\ProgramData\\BCgIoEUY\\fokocMks.exe"	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CEEcskkc.exe = "C:\\Users\\Admin\\WMIgoUws\\CEEcskkc.exe"	CEEcskkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fokocMks.exe = "C:\\ProgramData\\BCgIoEUY\\fokocMks.exe"	fokocMks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fokocMks.exe = "C:\\ProgramData\\BCgIoEUY\\fokocMks.exe"	WWoEUsAc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CEEcskkc.exe = "C:\\Users\\Admin\\WMIgoUws\\CEEcskkc.exe"	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\WMIgoUws	WWoEUsAc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\WMIgoUws\CEEcskkc	WWoEUsAc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 21 IoCs

Modify Registry

T1112

pid	Process
312	reg.exe
2280	reg.exe
4776	reg.exe
2012	reg.exe
1768	reg.exe
1380	reg.exe
1836	reg.exe
4736	reg.exe
312	reg.exe
2192	reg.exe
3036	reg.exe
4864	reg.exe
1452	reg.exe
4932	reg.exe
4788	reg.exe
796	reg.exe
2064	reg.exe
3928	reg.exe
1260	reg.exe
3352	reg.exe
1848	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	5036	vssvc.exe
Token: SeRestorePrivilege	5036	vssvc.exe
Token: SeAuditPrivilege	5036	vssvc.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 4912	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	81
PID 3956 wrote to memory of 4912	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	81
PID 3956 wrote to memory of 4912	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	81
PID 3956 wrote to memory of 1496	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	82
PID 3956 wrote to memory of 1496	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	82
PID 3956 wrote to memory of 1496	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	82
PID 3956 wrote to memory of 2148	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	83
PID 3956 wrote to memory of 2148	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	83
PID 3956 wrote to memory of 2148	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	83
PID 1496 wrote to memory of 2368	1496	CEEcskkc.exe	85
PID 1496 wrote to memory of 2368	1496	CEEcskkc.exe	85
PID 1496 wrote to memory of 2368	1496	CEEcskkc.exe	85
PID 2148 wrote to memory of 2060	2148	fokocMks.exe	86
PID 2148 wrote to memory of 2060	2148	fokocMks.exe	86
PID 2148 wrote to memory of 2060	2148	fokocMks.exe	86
PID 2488 wrote to memory of 3064	2488	WWoEUsAc.exe	87
PID 2488 wrote to memory of 3064	2488	WWoEUsAc.exe	87
PID 2488 wrote to memory of 3064	2488	WWoEUsAc.exe	87
PID 3956 wrote to memory of 3188	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	88
PID 3956 wrote to memory of 3188	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	88
PID 3956 wrote to memory of 3188	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	88
PID 3188 wrote to memory of 988	3188	cmd.exe	90
PID 3188 wrote to memory of 988	3188	cmd.exe	90
PID 3188 wrote to memory of 988	3188	cmd.exe	90
PID 3956 wrote to memory of 3928	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	91
PID 3956 wrote to memory of 3928	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	91
PID 3956 wrote to memory of 3928	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	91
PID 3956 wrote to memory of 3036	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	92
PID 3956 wrote to memory of 3036	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	92
PID 3956 wrote to memory of 3036	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	92
PID 3956 wrote to memory of 2012	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	145
PID 3956 wrote to memory of 2012	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	145
PID 3956 wrote to memory of 2012	3956	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	145
PID 988 wrote to memory of 3268	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	97
PID 988 wrote to memory of 3268	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	97
PID 988 wrote to memory of 3268	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	97
PID 988 wrote to memory of 1456	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	103
PID 988 wrote to memory of 1456	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	103
PID 988 wrote to memory of 1456	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	103
PID 1456 wrote to memory of 4524	1456	cmd.exe	105
PID 1456 wrote to memory of 4524	1456	cmd.exe	105
PID 1456 wrote to memory of 4524	1456	cmd.exe	105
PID 988 wrote to memory of 1260	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	106
PID 988 wrote to memory of 1260	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	106
PID 988 wrote to memory of 1260	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	106
PID 988 wrote to memory of 4864	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	107
PID 988 wrote to memory of 4864	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	107
PID 988 wrote to memory of 4864	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	107
PID 988 wrote to memory of 3352	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	130
PID 988 wrote to memory of 3352	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	130
PID 988 wrote to memory of 3352	988	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	130
PID 4524 wrote to memory of 3628	4524	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	112
PID 4524 wrote to memory of 3628	4524	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	112
PID 4524 wrote to memory of 3628	4524	f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe	112

C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
"C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
  HOUK
  2⤵
  PID:4912
- C:\Users\Admin\WMIgoUws\CEEcskkc.exe
  "C:\Users\Admin\WMIgoUws\CEEcskkc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Users\Admin\WMIgoUws\CEEcskkc.exe
    QVIR
    3⤵
    - Executes dropped EXE
    PID:2368
- C:\ProgramData\BCgIoEUY\fokocMks.exe
  "C:\ProgramData\BCgIoEUY\fokocMks.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\ProgramData\BCgIoEUY\fokocMks.exe
    HBYZ
    3⤵
    - Executes dropped EXE
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
    C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
      HOUK
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
        
        C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
        
        HOUK
        6⤵
        
        PID:3628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237"
        6⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
        
        C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237
        7⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
        
        HOUK
        8⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237"
        8⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
        
        C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237
        9⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
        
        HOUK
        10⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237"
        10⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
        
        C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237
        11⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
        
        HOUK
        12⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237"
        12⤵
        
        PID:392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        UAC bypass
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
        
        C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237
        13⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237.exe
        
        HOUK
        14⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies registry key
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:4788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        UAC bypass
        
        PID:3352
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:1380
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1452
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:4932
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1260
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4864
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:3352
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3036
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2012

C:\ProgramData\LCoYoEsY\WWoEUsAc.exe
C:\ProgramData\LCoYoEsY\WWoEUsAc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488
- C:\ProgramData\LCoYoEsY\WWoEUsAc.exe
  XJPF
  2⤵
  - Executes dropped EXE
  PID:3064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BCgIoEUY\fokocMks.exe

Filesize
714KB

MD5
fcb65f753387e57c4d8f66d73a3e96d4

SHA1
a40cfb74fc5f28149cd8c6ca92e6d7f975c44f0c

SHA256
2754318f278869ee193192df55baee089b6283984b2e108d17508efaf013108d

SHA512
44f5c58c14c4e80879ece5ede263bf418ecdcc73f6661db4c4c8bcd553442c69654f32ec7677809b4a433b9da0403080df9837b9e6a5cb6a2482dfc88038a3f3

Download Submit
C:\ProgramData\BCgIoEUY\fokocMks.exe

Filesize
714KB

MD5
fcb65f753387e57c4d8f66d73a3e96d4

SHA1
a40cfb74fc5f28149cd8c6ca92e6d7f975c44f0c

SHA256
2754318f278869ee193192df55baee089b6283984b2e108d17508efaf013108d

SHA512
44f5c58c14c4e80879ece5ede263bf418ecdcc73f6661db4c4c8bcd553442c69654f32ec7677809b4a433b9da0403080df9837b9e6a5cb6a2482dfc88038a3f3

Download Submit
C:\ProgramData\BCgIoEUY\fokocMks.exe

Filesize
714KB

MD5
fcb65f753387e57c4d8f66d73a3e96d4

SHA1
a40cfb74fc5f28149cd8c6ca92e6d7f975c44f0c

SHA256
2754318f278869ee193192df55baee089b6283984b2e108d17508efaf013108d

SHA512
44f5c58c14c4e80879ece5ede263bf418ecdcc73f6661db4c4c8bcd553442c69654f32ec7677809b4a433b9da0403080df9837b9e6a5cb6a2482dfc88038a3f3

Download Submit
C:\ProgramData\BCgIoEUY\fokocMksHBYZ

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\ProgramData\LCoYoEsY\WWoEUsAc.exe

Filesize
714KB

MD5
5a2e4a91c86c631b1391f26ff90074bf

SHA1
08707e1dee6d425c319b6708e3e4d3866b23d803

SHA256
9cc637beab383ee15c69491b294fa3b36b59ef211a5a07bec6b09e0ca7ea90ba

SHA512
672db92574570e1b16c0ff30f7202002abe25ed2ceffa12c5343c99dff37beb533a3b9e5adbeebd96c3b52851de2096b522ded30ca56a75d0dce2ba48b50f9cd

Download Submit
C:\ProgramData\LCoYoEsY\WWoEUsAc.exe

Filesize
714KB

MD5
5a2e4a91c86c631b1391f26ff90074bf

SHA1
08707e1dee6d425c319b6708e3e4d3866b23d803

SHA256
9cc637beab383ee15c69491b294fa3b36b59ef211a5a07bec6b09e0ca7ea90ba

SHA512
672db92574570e1b16c0ff30f7202002abe25ed2ceffa12c5343c99dff37beb533a3b9e5adbeebd96c3b52851de2096b522ded30ca56a75d0dce2ba48b50f9cd

Download Submit
C:\ProgramData\LCoYoEsY\WWoEUsAc.exe

Filesize
714KB

MD5
5a2e4a91c86c631b1391f26ff90074bf

SHA1
08707e1dee6d425c319b6708e3e4d3866b23d803

SHA256
9cc637beab383ee15c69491b294fa3b36b59ef211a5a07bec6b09e0ca7ea90ba

SHA512
672db92574570e1b16c0ff30f7202002abe25ed2ceffa12c5343c99dff37beb533a3b9e5adbeebd96c3b52851de2096b522ded30ca56a75d0dce2ba48b50f9cd

Download Submit
C:\ProgramData\LCoYoEsY\WWoEUsAcXJPF

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237HOUK

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237HOUK

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237HOUK

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237HOUK

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237HOUK

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237HOUK

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\f64ed41b4c790d677b42cfb15d501609c6a3c4d769e9fcccbb9ba51e2e135237HOUK

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\WMIgoUws\CEEcskkc.exe

Filesize
714KB

MD5
29bc902f0d380e7d3863f556b1c081aa

SHA1
251579cb47e55c238af037d1efb40d3f6005b396

SHA256
44d31ddf4d4e19aca0a91256ccdb60adc6d98daae01ffb99ac1d77c37ee039f2

SHA512
3aa9b0a37892d84a0364545495cb1e6a9fae6cc58b410bf29ee122b5af40004fb6502458234489791e11118916abbb63236f6be0823a3b9b4738bdc1211bc091

Download Submit
C:\Users\Admin\WMIgoUws\CEEcskkc.exe

Filesize
714KB

MD5
29bc902f0d380e7d3863f556b1c081aa

SHA1
251579cb47e55c238af037d1efb40d3f6005b396

SHA256
44d31ddf4d4e19aca0a91256ccdb60adc6d98daae01ffb99ac1d77c37ee039f2

SHA512
3aa9b0a37892d84a0364545495cb1e6a9fae6cc58b410bf29ee122b5af40004fb6502458234489791e11118916abbb63236f6be0823a3b9b4738bdc1211bc091

Download Submit
C:\Users\Admin\WMIgoUws\CEEcskkc.exe

Filesize
714KB

MD5
29bc902f0d380e7d3863f556b1c081aa

SHA1
251579cb47e55c238af037d1efb40d3f6005b396

SHA256
44d31ddf4d4e19aca0a91256ccdb60adc6d98daae01ffb99ac1d77c37ee039f2

SHA512
3aa9b0a37892d84a0364545495cb1e6a9fae6cc58b410bf29ee122b5af40004fb6502458234489791e11118916abbb63236f6be0823a3b9b4738bdc1211bc091

Download Submit
C:\Users\Admin\WMIgoUws\CEEcskkcQVIR

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
memory/296-235-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/296-247-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/296-242-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/988-192-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/988-173-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/988-179-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/988-200-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1496-147-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1496-164-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1496-249-0x0000000009EB0000-0x0000000009ED6000-memory.dmp

Filesize
152KB

Download
memory/1496-241-0x0000000009EB0000-0x0000000009ED6000-memory.dmp

Filesize
152KB

Download
memory/1496-238-0x00000000097A0000-0x00000000097A5000-memory.dmp

Filesize
20KB

Download
memory/1496-187-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1496-175-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1500-226-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1500-203-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1500-218-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1820-228-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1820-215-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1820-240-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1820-210-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2060-161-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2060-155-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2148-176-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2148-165-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2148-188-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2148-148-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2368-154-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2368-158-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2488-177-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2488-149-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2488-166-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3064-163-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3452-213-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3604-237-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3628-189-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3632-224-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3956-167-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3956-146-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3956-132-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3956-137-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4524-212-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4524-202-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4524-191-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4784-227-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4784-243-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4784-248-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4912-136-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4912-134-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download