6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c

Analysis

max time kernel
31s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
Size

726KB
MD5

a34723ece540d72a8ed783376e9f7030
SHA1

75b1fd929621956332b3ee543848fb11fbbe05a6
SHA256

6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c
SHA512

1f35de288af10838750f3d57f4b255acd6aeeb995b56d9a93e7394dca11aa9f1e6fae5ae2018313ccc8338723da8eefb758b009d769854360806f04b1d51c773
SSDEEP

12288:Tr+K3DCu863yw4lA01u7VsVMz2SgW25jeZ3F7yl8EDpnQj4JuEq:TiKTCYCdBVMKZelFy8ApnQ

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\BmEoAsQw\\HSUUkscI.exe,"	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\BmEoAsQw\\HSUUkscI.exe,"	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 8 IoCs

pid	Process
4500	fAYMcYQo.exe
2340	HSUUkscI.exe
400	HIAUoUoI.exe
1864	HIAUoUoI.exe
224	HSUUkscI.exe
3840	fAYMcYQo.exe
3412	fAYMcYQo.exe
2344	fAYMcYQo.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HSUUkscI.exe = "C:\\ProgramData\\BmEoAsQw\\HSUUkscI.exe"	HSUUkscI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HSUUkscI.exe = "C:\\ProgramData\\BmEoAsQw\\HSUUkscI.exe"	HIAUoUoI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fAYMcYQo.exe = "C:\\Users\\Admin\\AmwkUswo\\fAYMcYQo.exe"	fAYMcYQo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fAYMcYQo.exe = "C:\\Users\\Admin\\AmwkUswo\\fAYMcYQo.exe"	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HSUUkscI.exe = "C:\\ProgramData\\BmEoAsQw\\HSUUkscI.exe"	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AmwkUswo	HIAUoUoI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AmwkUswo\fAYMcYQo	HIAUoUoI.exe

Modifies registry key 1 TTPs 27 IoCs

Modify Registry

T1112

pid	Process
4832	reg.exe
4812	reg.exe
3112	reg.exe
1712	reg.exe
4240	reg.exe
3696	reg.exe
2304	reg.exe
3740	reg.exe
2300	reg.exe
3600	reg.exe
4256	reg.exe
4716	reg.exe
3660	reg.exe
1548	reg.exe
3828	reg.exe
3560	reg.exe
3500	reg.exe
4592	reg.exe
1312	reg.exe
2524	reg.exe
3564	reg.exe
2336	reg.exe
2456	reg.exe
8	reg.exe
1512	reg.exe
5116	reg.exe
368	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
2340	HSUUkscI.exe
2340	HSUUkscI.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 4468	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	82
PID 548 wrote to memory of 4468	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	82
PID 548 wrote to memory of 4468	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	82
PID 548 wrote to memory of 4500	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	83
PID 548 wrote to memory of 4500	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	83
PID 548 wrote to memory of 4500	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	83
PID 548 wrote to memory of 2340	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	84
PID 548 wrote to memory of 2340	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	84
PID 548 wrote to memory of 2340	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	84
PID 400 wrote to memory of 1864	400	HIAUoUoI.exe	86
PID 400 wrote to memory of 1864	400	HIAUoUoI.exe	86
PID 400 wrote to memory of 1864	400	HIAUoUoI.exe	86
PID 2340 wrote to memory of 224	2340	HSUUkscI.exe	87
PID 2340 wrote to memory of 224	2340	HSUUkscI.exe	87
PID 2340 wrote to memory of 224	2340	HSUUkscI.exe	87
PID 4500 wrote to memory of 3840	4500	fAYMcYQo.exe	88
PID 4500 wrote to memory of 3840	4500	fAYMcYQo.exe	88
PID 4500 wrote to memory of 3840	4500	fAYMcYQo.exe	88
PID 548 wrote to memory of 1924	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	89
PID 548 wrote to memory of 1924	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	89
PID 548 wrote to memory of 1924	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	89
PID 548 wrote to memory of 5116	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	127
PID 548 wrote to memory of 5116	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	127
PID 548 wrote to memory of 5116	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	127
PID 548 wrote to memory of 3696	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	91
PID 548 wrote to memory of 3696	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	91
PID 548 wrote to memory of 3696	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	91
PID 548 wrote to memory of 3564	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	92
PID 548 wrote to memory of 3564	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	92
PID 548 wrote to memory of 3564	548	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	92
PID 2340 wrote to memory of 3412	2340	HSUUkscI.exe	97
PID 2340 wrote to memory of 3412	2340	HSUUkscI.exe	97
PID 2340 wrote to memory of 3412	2340	HSUUkscI.exe	97
PID 1924 wrote to memory of 4388	1924	cmd.exe	98
PID 1924 wrote to memory of 4388	1924	cmd.exe	98
PID 1924 wrote to memory of 4388	1924	cmd.exe	98
PID 3412 wrote to memory of 2344	3412	fAYMcYQo.exe	99
PID 3412 wrote to memory of 2344	3412	fAYMcYQo.exe	99
PID 3412 wrote to memory of 2344	3412	fAYMcYQo.exe	99
PID 4388 wrote to memory of 3860	4388	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	100
PID 4388 wrote to memory of 3860	4388	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	100
PID 4388 wrote to memory of 3860	4388	6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe	100

C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
"C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
  IRGD
  2⤵
  PID:4468
- C:\Users\Admin\AmwkUswo\fAYMcYQo.exe
  "C:\Users\Admin\AmwkUswo\fAYMcYQo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Users\Admin\AmwkUswo\fAYMcYQo.exe
    KSJC
    3⤵
    - Executes dropped EXE
    PID:3840
- C:\ProgramData\BmEoAsQw\HSUUkscI.exe
  "C:\ProgramData\BmEoAsQw\HSUUkscI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\ProgramData\BmEoAsQw\HSUUkscI.exe
    LQVI
    3⤵
    - Executes dropped EXE
    PID:224
- - C:\Users\Admin\AmwkUswo\fAYMcYQo.exe
    "C:\Users\Admin\AmwkUswo\fAYMcYQo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Users\Admin\AmwkUswo\fAYMcYQo.exe
      KSJC
      4⤵
      Executes dropped EXE
      PID:2344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
    C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
      IRGD
      4⤵
      PID:3860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c"
      4⤵
      PID:1116
    - - C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c
        5⤵
        
        PID:444
      - C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        IRGD
        6⤵
        
        PID:5032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c"
        6⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c
        7⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        IRGD
        8⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c"
        8⤵
        
        PID:4532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c
        9⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        IRGD
        10⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c"
        10⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c
        11⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        IRGD
        12⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c"
        12⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c
        13⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        IRGD
        14⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c"
        14⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c
        15⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        IRGD
        16⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c"
        16⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c
        17⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c.exe
        
        IRGD
        18⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies registry key
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies registry key
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:3660
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:4240
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:1712
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3560
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:4256
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2304
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:4716
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:5116
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3696
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:3564

C:\ProgramData\pqogMMkw\HIAUoUoI.exe
C:\ProgramData\pqogMMkw\HIAUoUoI.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:400
- C:\ProgramData\pqogMMkw\HIAUoUoI.exe
  HBYZ
  2⤵
  - Executes dropped EXE
  PID:1864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BmEoAsQw\HSUUkscI.exe

Filesize
714KB

MD5
41ba116b44976f25df7e200bbb587284

SHA1
05233c3173452ee790d1ae51686121daa09ada37

SHA256
d6d2efcb7a2f86932c0403ff1438c36788e20efaf95341d95073d1a0557dd5e8

SHA512
1a47d9dee77c84cc0542107a82723ceb52d52c75dc14170804806cb62ef86c695927acd3fd8aa98709da0e0971c2348698e1ec508f5a3a1060891ad692f9d820

Download Submit
C:\ProgramData\BmEoAsQw\HSUUkscI.exe

Filesize
714KB

MD5
41ba116b44976f25df7e200bbb587284

SHA1
05233c3173452ee790d1ae51686121daa09ada37

SHA256
d6d2efcb7a2f86932c0403ff1438c36788e20efaf95341d95073d1a0557dd5e8

SHA512
1a47d9dee77c84cc0542107a82723ceb52d52c75dc14170804806cb62ef86c695927acd3fd8aa98709da0e0971c2348698e1ec508f5a3a1060891ad692f9d820

Download Submit
C:\ProgramData\BmEoAsQw\HSUUkscI.exe

Filesize
714KB

MD5
41ba116b44976f25df7e200bbb587284

SHA1
05233c3173452ee790d1ae51686121daa09ada37

SHA256
d6d2efcb7a2f86932c0403ff1438c36788e20efaf95341d95073d1a0557dd5e8

SHA512
1a47d9dee77c84cc0542107a82723ceb52d52c75dc14170804806cb62ef86c695927acd3fd8aa98709da0e0971c2348698e1ec508f5a3a1060891ad692f9d820

Download Submit
C:\ProgramData\BmEoAsQw\HSUUkscILQVI

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\ProgramData\pqogMMkw\HIAUoUoI.exe

Filesize
715KB

MD5
06d2ccdaf1f477603cd5f17a4b5237e0

SHA1
519cdac70fdf0c411d18fdd324dbd789ff75f69b

SHA256
506940afaa6cec17f2e274be23cd1e405530624563bc66a2727a498e1ea263f9

SHA512
3456bb44ff3a05ed70e1b94ffbe0098c6ac51296e69ab43fce509ff0b48faeeb7ac70cfc9067f365ac7db603cdcb5bc119b72c0a0de4b179a536a0b032ab60ae

Download Submit
C:\ProgramData\pqogMMkw\HIAUoUoI.exe

Filesize
715KB

MD5
06d2ccdaf1f477603cd5f17a4b5237e0

SHA1
519cdac70fdf0c411d18fdd324dbd789ff75f69b

SHA256
506940afaa6cec17f2e274be23cd1e405530624563bc66a2727a498e1ea263f9

SHA512
3456bb44ff3a05ed70e1b94ffbe0098c6ac51296e69ab43fce509ff0b48faeeb7ac70cfc9067f365ac7db603cdcb5bc119b72c0a0de4b179a536a0b032ab60ae

Download Submit
C:\ProgramData\pqogMMkw\HIAUoUoI.exe

Filesize
715KB

MD5
06d2ccdaf1f477603cd5f17a4b5237e0

SHA1
519cdac70fdf0c411d18fdd324dbd789ff75f69b

SHA256
506940afaa6cec17f2e274be23cd1e405530624563bc66a2727a498e1ea263f9

SHA512
3456bb44ff3a05ed70e1b94ffbe0098c6ac51296e69ab43fce509ff0b48faeeb7ac70cfc9067f365ac7db603cdcb5bc119b72c0a0de4b179a536a0b032ab60ae

Download Submit
C:\ProgramData\pqogMMkw\HIAUoUoIHBYZ

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AmwkUswo\fAYMcYQo.exe

Filesize
714KB

MD5
e8a80d176130382984a93c6058ca6c9b

SHA1
0886d0ce86025616afd3f5230aec0de8ed49bebb

SHA256
69d111e2b10ceb57f30050ac47f811d8585b06981d33c506eec4385040b19e55

SHA512
dadaeada28f6108484d905c9015ed8c21d410ba53798b352a5ecca2fa41fb60570c7183c38db9c84a184e637779fbf5f4726feb7b0cddc6cb837fa75e23b9f37

Download Submit
C:\Users\Admin\AmwkUswo\fAYMcYQo.exe

Filesize
714KB

MD5
e8a80d176130382984a93c6058ca6c9b

SHA1
0886d0ce86025616afd3f5230aec0de8ed49bebb

SHA256
69d111e2b10ceb57f30050ac47f811d8585b06981d33c506eec4385040b19e55

SHA512
dadaeada28f6108484d905c9015ed8c21d410ba53798b352a5ecca2fa41fb60570c7183c38db9c84a184e637779fbf5f4726feb7b0cddc6cb837fa75e23b9f37

Download Submit
C:\Users\Admin\AmwkUswo\fAYMcYQo.exe

Filesize
714KB

MD5
e8a80d176130382984a93c6058ca6c9b

SHA1
0886d0ce86025616afd3f5230aec0de8ed49bebb

SHA256
69d111e2b10ceb57f30050ac47f811d8585b06981d33c506eec4385040b19e55

SHA512
dadaeada28f6108484d905c9015ed8c21d410ba53798b352a5ecca2fa41fb60570c7183c38db9c84a184e637779fbf5f4726feb7b0cddc6cb837fa75e23b9f37

Download Submit
C:\Users\Admin\AmwkUswo\fAYMcYQo.exe

Filesize
714KB

MD5
e8a80d176130382984a93c6058ca6c9b

SHA1
0886d0ce86025616afd3f5230aec0de8ed49bebb

SHA256
69d111e2b10ceb57f30050ac47f811d8585b06981d33c506eec4385040b19e55

SHA512
dadaeada28f6108484d905c9015ed8c21d410ba53798b352a5ecca2fa41fb60570c7183c38db9c84a184e637779fbf5f4726feb7b0cddc6cb837fa75e23b9f37

Download Submit
C:\Users\Admin\AmwkUswo\fAYMcYQo.exe

Filesize
714KB

MD5
e8a80d176130382984a93c6058ca6c9b

SHA1
0886d0ce86025616afd3f5230aec0de8ed49bebb

SHA256
69d111e2b10ceb57f30050ac47f811d8585b06981d33c506eec4385040b19e55

SHA512
dadaeada28f6108484d905c9015ed8c21d410ba53798b352a5ecca2fa41fb60570c7183c38db9c84a184e637779fbf5f4726feb7b0cddc6cb837fa75e23b9f37

Download Submit
C:\Users\Admin\AmwkUswo\fAYMcYQoKSJC

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AmwkUswo\fAYMcYQoKSJC

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442c

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442cIRGD

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442cIRGD

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442cIRGD

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442cIRGD

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442cIRGD

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442cIRGD

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442cIRGD

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442cIRGD

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d23398a27a09e01c1a97377224c6090249b01d72dd1040fd7094a313292442cIRGD

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
memory/224-158-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/224-155-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/400-179-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/400-149-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/400-164-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/444-221-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/444-202-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/444-223-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/548-162-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/548-138-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/548-137-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/548-132-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1712-268-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1712-275-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1712-279-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1864-154-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1864-159-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2340-281-0x0000000009A50000-0x0000000009A76000-memory.dmp

Filesize
152KB

Download
memory/2340-163-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2340-272-0x00000000097C0000-0x00000000097C5000-memory.dmp

Filesize
20KB

Download
memory/2340-191-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2340-148-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2340-178-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2340-273-0x0000000009A50000-0x0000000009A76000-memory.dmp

Filesize
152KB

Download
memory/2344-183-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3408-235-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3408-209-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3408-214-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3408-225-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3412-176-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3412-200-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3412-188-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3412-213-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3840-167-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3840-165-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3860-184-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4356-261-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4356-280-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4356-274-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4388-212-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4388-187-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4388-201-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4468-135-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4468-134-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4492-246-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4500-147-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4500-177-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4500-199-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4500-171-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4764-226-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4764-237-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4764-247-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/5024-249-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/5024-238-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/5024-258-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/5024-233-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/5032-197-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/5052-260-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/5052-250-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/5052-270-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download