f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
Size

948KB
MD5

0db0a8cde156c4a0cfc1cb3f64311430
SHA1

25aa5842ef38284594f446cd7ec576dd11f324c2
SHA256

f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b
SHA512

2d0ad5834154a23a60021d20bc3f7ab264e0b9931e93e247e077f6c56718d6b204e4127613eeb32c4b9f20b1d95c787bda6f4b79db3f87990524d8dbad70bef9
SSDEEP

24576:sUsLCekOjF12RNt8kE6c29/aQydQwj9QE4p0CNn:Xshkm1GNLIQy/j9/MPNn

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\kUwcAwss\\XikckIQs.exe,"	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\kUwcAwss\\XikckIQs.exe,"	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
3520	diAsoUgI.exe
976	XikckIQs.exe
4644	zasIQwok.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	diAsoUgI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XikckIQs.exe = "C:\\ProgramData\\kUwcAwss\\XikckIQs.exe"	zasIQwok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diAsoUgI.exe = "C:\\Users\\Admin\\QEkYYoAU\\diAsoUgI.exe"	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XikckIQs.exe = "C:\\ProgramData\\kUwcAwss\\XikckIQs.exe"	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diAsoUgI.exe = "C:\\Users\\Admin\\QEkYYoAU\\diAsoUgI.exe"	diAsoUgI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XikckIQs.exe = "C:\\ProgramData\\kUwcAwss\\XikckIQs.exe"	XikckIQs.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\QEkYYoAU	zasIQwok.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\QEkYYoAU\diAsoUgI	zasIQwok.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	diAsoUgI.exe
File opened for modification	C:\Windows\SysWOW64\sheOptimizeBlock.gif	diAsoUgI.exe
File opened for modification	C:\Windows\SysWOW64\sheSplitCompress.mpg	diAsoUgI.exe
File opened for modification	C:\Windows\SysWOW64\sheSubmitCheckpoint.doc	diAsoUgI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 15 IoCs

Modify Registry

T1112

pid	Process
1456	reg.exe
5024	reg.exe
4360	reg.exe
2248	reg.exe
4768	reg.exe
4840	reg.exe
8	reg.exe
1320	reg.exe
2348	reg.exe
2028	reg.exe
4380	reg.exe
1812	reg.exe
3568	reg.exe
2740	reg.exe
2888	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
1912	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
1912	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
1912	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
1912	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3748	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
3748	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
3748	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
3748	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3520	diAsoUgI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe
3520	diAsoUgI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 3520	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	80
PID 3460 wrote to memory of 3520	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	80
PID 3460 wrote to memory of 3520	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	80
PID 3460 wrote to memory of 976	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	81
PID 3460 wrote to memory of 976	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	81
PID 3460 wrote to memory of 976	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	81
PID 3460 wrote to memory of 3212	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	83
PID 3460 wrote to memory of 3212	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	83
PID 3460 wrote to memory of 3212	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	83
PID 3460 wrote to memory of 8	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	85
PID 3460 wrote to memory of 8	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	85
PID 3460 wrote to memory of 8	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	85
PID 3460 wrote to memory of 4768	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	92
PID 3460 wrote to memory of 4768	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	92
PID 3460 wrote to memory of 4768	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	92
PID 3460 wrote to memory of 2740	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	91
PID 3460 wrote to memory of 2740	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	91
PID 3460 wrote to memory of 2740	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	91
PID 3460 wrote to memory of 4868	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	87
PID 3460 wrote to memory of 4868	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	87
PID 3460 wrote to memory of 4868	3460	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	87
PID 3212 wrote to memory of 5116	3212	cmd.exe	93
PID 3212 wrote to memory of 5116	3212	cmd.exe	93
PID 3212 wrote to memory of 5116	3212	cmd.exe	93
PID 4868 wrote to memory of 1744	4868	cmd.exe	94
PID 4868 wrote to memory of 1744	4868	cmd.exe	94
PID 4868 wrote to memory of 1744	4868	cmd.exe	94
PID 5116 wrote to memory of 1192	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	95
PID 5116 wrote to memory of 1192	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	95
PID 5116 wrote to memory of 1192	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	95
PID 1192 wrote to memory of 1328	1192	cmd.exe	97
PID 1192 wrote to memory of 1328	1192	cmd.exe	97
PID 1192 wrote to memory of 1328	1192	cmd.exe	97
PID 5116 wrote to memory of 4840	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	98
PID 5116 wrote to memory of 4840	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	98
PID 5116 wrote to memory of 4840	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	98
PID 5116 wrote to memory of 1456	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	99
PID 5116 wrote to memory of 1456	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	99
PID 5116 wrote to memory of 1456	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	99
PID 5116 wrote to memory of 5024	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	101
PID 5116 wrote to memory of 5024	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	101
PID 5116 wrote to memory of 5024	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	101
PID 5116 wrote to memory of 4520	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	104
PID 5116 wrote to memory of 4520	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	104
PID 5116 wrote to memory of 4520	5116	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	104
PID 4520 wrote to memory of 3656	4520	cmd.exe	106
PID 4520 wrote to memory of 3656	4520	cmd.exe	106
PID 4520 wrote to memory of 3656	4520	cmd.exe	106
PID 1328 wrote to memory of 332	1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	107
PID 1328 wrote to memory of 332	1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	107
PID 1328 wrote to memory of 332	1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	107
PID 332 wrote to memory of 1912	332	cmd.exe	109
PID 332 wrote to memory of 1912	332	cmd.exe	109
PID 332 wrote to memory of 1912	332	cmd.exe	109
PID 1328 wrote to memory of 2888	1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	110
PID 1328 wrote to memory of 2888	1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	110
PID 1328 wrote to memory of 2888	1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	110
PID 1328 wrote to memory of 1320	1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	111
PID 1328 wrote to memory of 1320	1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	111
PID 1328 wrote to memory of 1320	1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	111
PID 1328 wrote to memory of 4380	1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	112
PID 1328 wrote to memory of 4380	1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	112
PID 1328 wrote to memory of 4380	1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	112
PID 1328 wrote to memory of 4692	1328	f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe	115

C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
"C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\QEkYYoAU\diAsoUgI.exe
  "C:\Users\Admin\QEkYYoAU\diAsoUgI.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3520
- C:\ProgramData\kUwcAwss\XikckIQs.exe
  "C:\ProgramData\kUwcAwss\XikckIQs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
    C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
        
        C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
        
        C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b"
        8⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe
        
        C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuoQwAMc.bat" "C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe""
        8⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2396
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2888
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1320
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiEcowEw.bat" "C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe""
        6⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4476
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4840
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1456
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:5024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQsgkUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:8
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYgsEsME.bat" "C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1744
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4768

C:\ProgramData\MKoQAMkg\zasIQwok.exe
C:\ProgramData\MKoQAMkg\zasIQwok.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MKoQAMkg\zasIQwok.exe

Filesize
935KB

MD5
d2516840199fb326c597903a8cb9169a

SHA1
54b7078cb3a82234f019e988c5ef3e7e36d3f171

SHA256
11d6195d202d056b56533a3df108fa16c8551390865b6609516d3931b19da2c9

SHA512
799eb1c6668be408d6768874a57418c48196c538bf4377dd83f7ac81c798b7aee001d9abb6609925bbf43763c38cbef48b0e38fec6f225709c5b27292408221d

Download Submit
C:\ProgramData\MKoQAMkg\zasIQwok.exe

Filesize
935KB

MD5
d2516840199fb326c597903a8cb9169a

SHA1
54b7078cb3a82234f019e988c5ef3e7e36d3f171

SHA256
11d6195d202d056b56533a3df108fa16c8551390865b6609516d3931b19da2c9

SHA512
799eb1c6668be408d6768874a57418c48196c538bf4377dd83f7ac81c798b7aee001d9abb6609925bbf43763c38cbef48b0e38fec6f225709c5b27292408221d

Download Submit
C:\ProgramData\kUwcAwss\XikckIQs.exe

Filesize
936KB

MD5
1d92662cb463a4a8c576a016802d4eb1

SHA1
d525e6d5b577dfed86cc793926c4dda156bad3e4

SHA256
dcf2411428a7425605730c699c19d78a8005093df01d9b174826dc306f74f504

SHA512
33c2bc322fe70753ac631afa2f6726860a669b666fc8e16e126192469d6caad36d2f8528827a2730f06673b2ba4f6e8c5a89f83c9ae54eba5052a037e016b24a

Download Submit
C:\ProgramData\kUwcAwss\XikckIQs.exe

Filesize
936KB

MD5
1d92662cb463a4a8c576a016802d4eb1

SHA1
d525e6d5b577dfed86cc793926c4dda156bad3e4

SHA256
dcf2411428a7425605730c699c19d78a8005093df01d9b174826dc306f74f504

SHA512
33c2bc322fe70753ac631afa2f6726860a669b666fc8e16e126192469d6caad36d2f8528827a2730f06673b2ba4f6e8c5a89f83c9ae54eba5052a037e016b24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuoQwAMc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QiEcowEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f44ca8d9fd93fd903bdf359de82e28ce7f072534fe1a82816e6eefe4f1328b5b

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQsgkUAQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYgsEsME.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\QEkYYoAU\diAsoUgI.exe

Filesize
938KB

MD5
be87757746803171fbfca1707c0656c4

SHA1
2effc930ec262806092485396618640fbf093a25

SHA256
64e512f82fefd9f45b0049a439b8133fb9cb16e840d871f93250861d5d50ac35

SHA512
1afb9f6d23f9c45a3023c885684dc04b1a07bdd98487e426001f0e008880ea6902a4a6024ac3e60037e7143d8debb72606585d3510935aa4ca87a4e64a746ddb

Download Submit
C:\Users\Admin\QEkYYoAU\diAsoUgI.exe

Filesize
938KB

MD5
be87757746803171fbfca1707c0656c4

SHA1
2effc930ec262806092485396618640fbf093a25

SHA256
64e512f82fefd9f45b0049a439b8133fb9cb16e840d871f93250861d5d50ac35

SHA512
1afb9f6d23f9c45a3023c885684dc04b1a07bdd98487e426001f0e008880ea6902a4a6024ac3e60037e7143d8debb72606585d3510935aa4ca87a4e64a746ddb

Download Submit
memory/8-145-0x0000000000000000-mapping.dmp

Download
memory/332-168-0x0000000000000000-mapping.dmp

Download
memory/976-180-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/976-142-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/976-136-0x0000000000000000-mapping.dmp

Download
memory/1192-156-0x0000000000000000-mapping.dmp

Download
memory/1320-171-0x0000000000000000-mapping.dmp

Download
memory/1328-175-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1328-157-0x0000000000000000-mapping.dmp

Download
memory/1328-163-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1456-159-0x0000000000000000-mapping.dmp

Download
memory/1744-152-0x0000000000000000-mapping.dmp

Download
memory/1812-184-0x0000000000000000-mapping.dmp

Download
memory/1912-189-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1912-172-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1912-169-0x0000000000000000-mapping.dmp

Download
memory/2028-198-0x0000000000000000-mapping.dmp

Download
memory/2248-196-0x0000000000000000-mapping.dmp

Download
memory/2348-186-0x0000000000000000-mapping.dmp

Download
memory/2396-193-0x0000000000000000-mapping.dmp

Download
memory/2740-147-0x0000000000000000-mapping.dmp

Download
memory/2888-170-0x0000000000000000-mapping.dmp

Download
memory/3212-144-0x0000000000000000-mapping.dmp

Download
memory/3380-188-0x0000000000000000-mapping.dmp

Download
memory/3460-132-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3460-149-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3516-183-0x0000000000000000-mapping.dmp

Download
memory/3520-141-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3520-200-0x0000000009800000-0x0000000009826000-memory.dmp

Filesize
152KB

Download
memory/3520-179-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3520-195-0x0000000009800000-0x0000000009826000-memory.dmp

Filesize
152KB

Download
memory/3520-133-0x0000000000000000-mapping.dmp

Download
memory/3520-190-0x00000000090F0000-0x00000000090F5000-memory.dmp

Filesize
20KB

Download
memory/3568-197-0x0000000000000000-mapping.dmp

Download
memory/3656-165-0x0000000000000000-mapping.dmp

Download
memory/3748-185-0x0000000000000000-mapping.dmp

Download
memory/3748-199-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3748-191-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4360-187-0x0000000000000000-mapping.dmp

Download
memory/4380-173-0x0000000000000000-mapping.dmp

Download
memory/4476-177-0x0000000000000000-mapping.dmp

Download
memory/4520-161-0x0000000000000000-mapping.dmp

Download
memory/4644-181-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4644-143-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4692-174-0x0000000000000000-mapping.dmp

Download
memory/4768-146-0x0000000000000000-mapping.dmp

Download
memory/4840-158-0x0000000000000000-mapping.dmp

Download
memory/4868-148-0x0000000000000000-mapping.dmp

Download
memory/5024-160-0x0000000000000000-mapping.dmp

Download
memory/5116-162-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/5116-150-0x0000000000000000-mapping.dmp

Download
memory/5116-154-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download