6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673

Analysis

max time kernel
54s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
Size

725KB
MD5

8216e32e4e73e497fab6ff34fb42c510
SHA1

139a8f7b5ae769047411591552b065b704ed586e
SHA256

6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673
SHA512

1b6234fa1db3ef50da4c01e3e78b337ccb12b5d7e3b90385937f07207e9a8d5cd0ab657600d295b0b53d687653cd4c8aabe6921e79efb4b347a4ddbc7c896a71
SSDEEP

12288:9U+FEvBmQ6A6GxbmmENN5olAM7qqew/wQ+uCf35GRvuSEjIa2:9dSJ36A6qbmpy7qzpGRvuSEjIz

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\FgYUIIUs\\jyMgUkEc.exe,"	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\FgYUIIUs\\jyMgUkEc.exe,"	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe

Executes dropped EXE 4 IoCs

pid	Process
5012	WQwEkswA.exe
3528	jyMgUkEc.exe
400	WQwEkswA.exe
2208	jyMgUkEc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jyMgUkEc.exe = "C:\\ProgramData\\FgYUIIUs\\jyMgUkEc.exe"	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WQwEkswA.exe = "C:\\Users\\Admin\\KyEEoscU\\WQwEkswA.exe"	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe

Modifies registry key 1 TTPs 33 IoCs

Modify Registry

T1112

pid	Process
4620	reg.exe
1832	reg.exe
724	reg.exe
4892	reg.exe
4556	reg.exe
876	reg.exe
1364	reg.exe
3680	reg.exe
1440	reg.exe
3876	reg.exe
4136	reg.exe
4844	reg.exe
4948	reg.exe
4988	reg.exe
2812	reg.exe
1340	reg.exe
3444	reg.exe
2804	reg.exe
624	reg.exe
4596	reg.exe
1044	reg.exe
2196	reg.exe
4320	reg.exe
1860	reg.exe
4364	reg.exe
4848	reg.exe
424	reg.exe
2144	reg.exe
2864	reg.exe
972	reg.exe
5108	reg.exe
4856	reg.exe
3920	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3416	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
3416	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
3416	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
3416	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 3460	3416	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	80
PID 3416 wrote to memory of 3460	3416	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	80
PID 3416 wrote to memory of 3460	3416	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	80
PID 3416 wrote to memory of 5012	3416	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	83
PID 3416 wrote to memory of 5012	3416	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	83
PID 3416 wrote to memory of 5012	3416	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	83
PID 3416 wrote to memory of 3528	3416	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	84
PID 3416 wrote to memory of 3528	3416	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	84
PID 3416 wrote to memory of 3528	3416	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	84
PID 5012 wrote to memory of 400	5012	WQwEkswA.exe	85
PID 5012 wrote to memory of 400	5012	WQwEkswA.exe	85
PID 5012 wrote to memory of 400	5012	WQwEkswA.exe	85
PID 3528 wrote to memory of 2208	3528	jyMgUkEc.exe	86
PID 3528 wrote to memory of 2208	3528	jyMgUkEc.exe	86
PID 3528 wrote to memory of 2208	3528	jyMgUkEc.exe	86

C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
"C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
  ZKSJ
  2⤵
  PID:3460
- C:\Users\Admin\KyEEoscU\WQwEkswA.exe
  "C:\Users\Admin\KyEEoscU\WQwEkswA.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\KyEEoscU\WQwEkswA.exe
    WLQI
    3⤵
    - Executes dropped EXE
    PID:400
- C:\ProgramData\FgYUIIUs\jyMgUkEc.exe
  "C:\ProgramData\FgYUIIUs\jyMgUkEc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\ProgramData\FgYUIIUs\jyMgUkEc.exe
    VIEC
    3⤵
    - Executes dropped EXE
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673"
  2⤵
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
    C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673
    3⤵
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
      ZKSJ
      4⤵
      PID:4548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673"
      4⤵
      PID:1096
    - - C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
        
        C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673
        5⤵
        
        PID:1520
      - C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
        
        ZKSJ
        6⤵
        
        PID:4228
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:4848
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:4856
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:3444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673"
        6⤵
        
        PID:4328
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:5108
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:4596
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4556
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4892
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:972
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4136

C:\ProgramData\AcsYgIwA\tkAAQYQo.exe
C:\ProgramData\AcsYgIwA\tkAAQYQo.exe
1⤵
PID:2172
- C:\ProgramData\AcsYgIwA\tkAAQYQo.exe
  MTUK
  2⤵
  PID:1656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673
1⤵
PID:2616
- C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
  ZKSJ
  2⤵
  PID:904
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1044
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:876
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673"
  2⤵
  PID:3068

C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673
1⤵
PID:860
- C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
  ZKSJ
  2⤵
  PID:2372
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2196
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4844
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673"
  2⤵
  PID:4384

C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673
1⤵
PID:880
- C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
  ZKSJ
  2⤵
  PID:4520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:624
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1832
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673"
  2⤵
  PID:1456

C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673
1⤵
PID:1792
- C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
  ZKSJ
  2⤵
  PID:1140
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:424
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2144
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673"
  2⤵
  PID:4880

C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673
1⤵
PID:4036
- C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
  ZKSJ
  2⤵
  PID:4864
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1860
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673"
  2⤵
  PID:3388

C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673
1⤵
PID:3640
- C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
  ZKSJ
  2⤵
  PID:4456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673"
  2⤵
  PID:1160
- - C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
    C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673
    3⤵
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
      ZKSJ
      4⤵
      PID:3400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673"
      4⤵
      PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
        
        C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673
        5⤵
        
        PID:4084
      - C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
        
        ZKSJ
        6⤵
        
        PID:908
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:3876
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2864
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:1340
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:724
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:1440
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:2812
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3920
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4620
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AcsYgIwA\tkAAQYQo.exe

Filesize
714KB

MD5
eb0ef31f196a5a4d1c512282491b05fa

SHA1
a25f0cb21a0d04a68dffbc4eede7c95e33cad8d4

SHA256
dc8b4b059d8ffa70117a7b7c36293bc9319e4e7a9bfc0ba8df11c2af695fd792

SHA512
3b9ce7e6e6e10d3ac064277b525d6436227d9a2847c962cf9d7d665710545f60e023beeeca68788ad1ed03f13d556f518b15956be6c64d8327f293f51c44a637

Download Submit
C:\ProgramData\AcsYgIwA\tkAAQYQo.exe

Filesize
714KB

MD5
eb0ef31f196a5a4d1c512282491b05fa

SHA1
a25f0cb21a0d04a68dffbc4eede7c95e33cad8d4

SHA256
dc8b4b059d8ffa70117a7b7c36293bc9319e4e7a9bfc0ba8df11c2af695fd792

SHA512
3b9ce7e6e6e10d3ac064277b525d6436227d9a2847c962cf9d7d665710545f60e023beeeca68788ad1ed03f13d556f518b15956be6c64d8327f293f51c44a637

Download Submit
C:\ProgramData\AcsYgIwA\tkAAQYQo.exe

Filesize
714KB

MD5
eb0ef31f196a5a4d1c512282491b05fa

SHA1
a25f0cb21a0d04a68dffbc4eede7c95e33cad8d4

SHA256
dc8b4b059d8ffa70117a7b7c36293bc9319e4e7a9bfc0ba8df11c2af695fd792

SHA512
3b9ce7e6e6e10d3ac064277b525d6436227d9a2847c962cf9d7d665710545f60e023beeeca68788ad1ed03f13d556f518b15956be6c64d8327f293f51c44a637

Download Submit
C:\ProgramData\AcsYgIwA\tkAAQYQoMTUK

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\ProgramData\FgYUIIUs\jyMgUkEc.exe

Filesize
714KB

MD5
c3820e3a6ad1b560541fc133e86f6356

SHA1
4f65a4658fa8cfa3b7d2a9efccce1fee265dc5f1

SHA256
d65f786bf1b48be294111f1c3014569ba3be058f78d3ef2a463bb0e9f762b26e

SHA512
9282860c558dd4daa419596de736be0fe917e06ef03eae98b9b7e20b320ecdbd30f63447bcc02841815a406811cb269d3f8d74aad9f140e7c6ed9498a14b033c

Download Submit
C:\ProgramData\FgYUIIUs\jyMgUkEc.exe

Filesize
714KB

MD5
c3820e3a6ad1b560541fc133e86f6356

SHA1
4f65a4658fa8cfa3b7d2a9efccce1fee265dc5f1

SHA256
d65f786bf1b48be294111f1c3014569ba3be058f78d3ef2a463bb0e9f762b26e

SHA512
9282860c558dd4daa419596de736be0fe917e06ef03eae98b9b7e20b320ecdbd30f63447bcc02841815a406811cb269d3f8d74aad9f140e7c6ed9498a14b033c

Download Submit
C:\ProgramData\FgYUIIUs\jyMgUkEc.exe

Filesize
714KB

MD5
c3820e3a6ad1b560541fc133e86f6356

SHA1
4f65a4658fa8cfa3b7d2a9efccce1fee265dc5f1

SHA256
d65f786bf1b48be294111f1c3014569ba3be058f78d3ef2a463bb0e9f762b26e

SHA512
9282860c558dd4daa419596de736be0fe917e06ef03eae98b9b7e20b320ecdbd30f63447bcc02841815a406811cb269d3f8d74aad9f140e7c6ed9498a14b033c

Download Submit
C:\ProgramData\FgYUIIUs\jyMgUkEcVIEC

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673ZKSJ

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673ZKSJ

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673ZKSJ

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673ZKSJ

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673ZKSJ

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673ZKSJ

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673ZKSJ

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673ZKSJ

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673ZKSJ

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673ZKSJ

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673ZKSJ

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\KyEEoscU\WQwEkswA.exe

Filesize
714KB

MD5
b6819980a24c39260fa59bcb3db9d09b

SHA1
653932386d18d822b8cb7462034797cae62a87e8

SHA256
61f0cf53005332f4ab3658dc79db1eaaa45cdbabc955f91f1f608131cc8afe0f

SHA512
20bcb88dbf6b10b84c1b408d6a52c41a7b1d61b300e39d3f29264be969cf0353e40171e815332e4e90edff49e29874ee45ac39dbdf93adec1e0ecd37d7022a14

Download Submit
C:\Users\Admin\KyEEoscU\WQwEkswA.exe

Filesize
714KB

MD5
b6819980a24c39260fa59bcb3db9d09b

SHA1
653932386d18d822b8cb7462034797cae62a87e8

SHA256
61f0cf53005332f4ab3658dc79db1eaaa45cdbabc955f91f1f608131cc8afe0f

SHA512
20bcb88dbf6b10b84c1b408d6a52c41a7b1d61b300e39d3f29264be969cf0353e40171e815332e4e90edff49e29874ee45ac39dbdf93adec1e0ecd37d7022a14

Download Submit
C:\Users\Admin\KyEEoscU\WQwEkswA.exe

Filesize
714KB

MD5
b6819980a24c39260fa59bcb3db9d09b

SHA1
653932386d18d822b8cb7462034797cae62a87e8

SHA256
61f0cf53005332f4ab3658dc79db1eaaa45cdbabc955f91f1f608131cc8afe0f

SHA512
20bcb88dbf6b10b84c1b408d6a52c41a7b1d61b300e39d3f29264be969cf0353e40171e815332e4e90edff49e29874ee45ac39dbdf93adec1e0ecd37d7022a14

Download Submit
C:\Users\Admin\KyEEoscU\WQwEkswAWLQI

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
memory/400-149-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/400-157-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/860-237-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/860-211-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/860-214-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/860-238-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/880-242-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/880-239-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/880-226-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/904-202-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/908-286-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1140-236-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1520-193-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1520-221-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1520-200-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1548-189-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1548-180-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1548-188-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1548-175-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1656-160-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1656-167-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1708-271-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1708-279-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1708-277-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1708-290-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1792-249-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1792-262-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1792-233-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1792-241-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2172-155-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2172-179-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2172-169-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2208-162-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2208-152-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2616-235-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2616-223-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2616-204-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3400-274-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3416-132-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3416-136-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3416-138-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3460-134-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3460-137-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3528-168-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3528-187-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3528-148-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3528-165-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3640-278-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3640-263-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3640-276-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4036-252-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4036-273-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4036-270-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4084-285-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4084-291-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4456-260-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4520-224-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4548-177-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/5012-163-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5012-142-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5012-287-0x0000000009790000-0x0000000009795000-memory.dmp

Filesize
20KB

Download
memory/5012-288-0x0000000009EA0000-0x0000000009EC6000-memory.dmp

Filesize
152KB

Download
memory/5012-186-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5012-164-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download