modiloader | 99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf

Analysis

max time kernel
152s
max time network
187s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
Size

152KB
MD5

30b0b5ba17e8f6e69c7ae4a1e051ac30
SHA1

85d578c1ae2ac8b4cfd35ad6f0060f664759ce97
SHA256

99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf
SHA512

786652251fbdb56a052708cace064852f142414c81bb84b9bbfb85a0b71a0f35257987395223d83960b359bf72a569ead4d4a8727d92f41d1623fb5e857ae131
SSDEEP

1536:c1DMz1DQvXLq6t7awFONecenlLnQHIG5R9c73P600t:9eGw9A0rC00t

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1152-108-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/1152-112-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/1308-191-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/1308-194-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/1332-251-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/1332-257-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Executes dropped EXE 13 IoCs

Processes:

svhust.exesvhust.exesvhust.exeAdobeART.exeAdobeART.exesvhust.exesvhust.exesvhust.exeAdobeART.exeAdobeART.exesvhust.exesvhust.exesvhust.exe

pid	process
528	svhust.exe
268	svhust.exe
1152	svhust.exe
1120	AdobeART.exe
2024	AdobeART.exe
1796	svhust.exe
1752	svhust.exe
1308	svhust.exe
1208	AdobeART.exe
588	AdobeART.exe
1860	svhust.exe
1488	svhust.exe
1332	svhust.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1212-59-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1212-61-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1212-62-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1212-65-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1212-66-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1212-69-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1152-95-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1152-98-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1152-100-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1212-106-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1152-107-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1152-108-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/268-114-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1152-112-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2024-158-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2024-188-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1308-190-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1308-191-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1308-194-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/588-213-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1752-214-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/588-249-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1488-250-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1332-251-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/268-254-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1752-255-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1488-256-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1332-257-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Loads dropped DLL 13 IoCs

Processes:

99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exesvhust.exeAdobeART.exesvhust.exeAdobeART.exe

pid	process
1212	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
1212	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
1212	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
1212	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
1152	svhust.exe
1152	svhust.exe
2024	AdobeART.exe
2024	AdobeART.exe
2024	AdobeART.exe
1308	svhust.exe
588	AdobeART.exe
588	AdobeART.exe
588	AdobeART.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exesvhust.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhust = "C:\\Users\\Admin\\AppData\\Roaming\\svhust\\svhust.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe"	svhust.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exesvhust.exeAdobeART.exesvhust.exeAdobeART.exesvhust.exe

description	pid	process	target process
PID 1752 set thread context of 1212	1752	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
PID 528 set thread context of 268	528	svhust.exe	svhust.exe
PID 528 set thread context of 1152	528	svhust.exe	svhust.exe
PID 1120 set thread context of 2024	1120	AdobeART.exe	AdobeART.exe
PID 1796 set thread context of 1752	1796	svhust.exe	svhust.exe
PID 1796 set thread context of 1308	1796	svhust.exe	svhust.exe
PID 1208 set thread context of 588	1208	AdobeART.exe	AdobeART.exe
PID 1860 set thread context of 1488	1860	svhust.exe	svhust.exe
PID 1860 set thread context of 1332	1860	svhust.exe	svhust.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svhust.exesvhust.exesvhust.exe

description	pid	process
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	268	svhust.exe
Token: SeDebugPrivilege	1488	svhust.exe
Token: SeDebugPrivilege	1752	svhust.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exesvhust.exesvhust.exeAdobeART.exeAdobeART.exesvhust.exesvhust.exeAdobeART.exeAdobeART.exesvhust.exesvhust.exe

pid	process
1752	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
1212	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
528	svhust.exe
268	svhust.exe
1120	AdobeART.exe
2024	AdobeART.exe
1796	svhust.exe
1752	svhust.exe
1208	AdobeART.exe
588	AdobeART.exe
1860	svhust.exe
1488	svhust.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.execmd.exesvhust.exesvhust.exeAdobeART.exeAdobeART.exesvhust.exe

description	pid	process	target process
PID 1752 wrote to memory of 1212	1752	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
PID 1752 wrote to memory of 1212	1752	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
PID 1752 wrote to memory of 1212	1752	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
PID 1752 wrote to memory of 1212	1752	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
PID 1752 wrote to memory of 1212	1752	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
PID 1752 wrote to memory of 1212	1752	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
PID 1752 wrote to memory of 1212	1752	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
PID 1752 wrote to memory of 1212	1752	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
PID 1212 wrote to memory of 1272	1212	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	cmd.exe
PID 1212 wrote to memory of 1272	1212	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	cmd.exe
PID 1212 wrote to memory of 1272	1212	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	cmd.exe
PID 1212 wrote to memory of 1272	1212	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	cmd.exe
PID 1272 wrote to memory of 1976	1272	cmd.exe	reg.exe
PID 1272 wrote to memory of 1976	1272	cmd.exe	reg.exe
PID 1272 wrote to memory of 1976	1272	cmd.exe	reg.exe
PID 1272 wrote to memory of 1976	1272	cmd.exe	reg.exe
PID 1212 wrote to memory of 528	1212	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	svhust.exe
PID 1212 wrote to memory of 528	1212	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	svhust.exe
PID 1212 wrote to memory of 528	1212	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	svhust.exe
PID 1212 wrote to memory of 528	1212	99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe	svhust.exe
PID 528 wrote to memory of 268	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 268	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 268	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 268	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 268	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 268	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 268	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 268	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 1152	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 1152	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 1152	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 1152	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 1152	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 1152	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 1152	528	svhust.exe	svhust.exe
PID 528 wrote to memory of 1152	528	svhust.exe	svhust.exe
PID 1152 wrote to memory of 1120	1152	svhust.exe	AdobeART.exe
PID 1152 wrote to memory of 1120	1152	svhust.exe	AdobeART.exe
PID 1152 wrote to memory of 1120	1152	svhust.exe	AdobeART.exe
PID 1152 wrote to memory of 1120	1152	svhust.exe	AdobeART.exe
PID 1120 wrote to memory of 2024	1120	AdobeART.exe	AdobeART.exe
PID 1120 wrote to memory of 2024	1120	AdobeART.exe	AdobeART.exe
PID 1120 wrote to memory of 2024	1120	AdobeART.exe	AdobeART.exe
PID 1120 wrote to memory of 2024	1120	AdobeART.exe	AdobeART.exe
PID 1120 wrote to memory of 2024	1120	AdobeART.exe	AdobeART.exe
PID 1120 wrote to memory of 2024	1120	AdobeART.exe	AdobeART.exe
PID 1120 wrote to memory of 2024	1120	AdobeART.exe	AdobeART.exe
PID 1120 wrote to memory of 2024	1120	AdobeART.exe	AdobeART.exe
PID 2024 wrote to memory of 1796	2024	AdobeART.exe	svhust.exe
PID 2024 wrote to memory of 1796	2024	AdobeART.exe	svhust.exe
PID 2024 wrote to memory of 1796	2024	AdobeART.exe	svhust.exe
PID 2024 wrote to memory of 1796	2024	AdobeART.exe	svhust.exe
PID 1796 wrote to memory of 1752	1796	svhust.exe	svhust.exe
PID 1796 wrote to memory of 1752	1796	svhust.exe	svhust.exe
PID 1796 wrote to memory of 1752	1796	svhust.exe	svhust.exe
PID 1796 wrote to memory of 1752	1796	svhust.exe	svhust.exe
PID 1796 wrote to memory of 1752	1796	svhust.exe	svhust.exe
PID 1796 wrote to memory of 1752	1796	svhust.exe	svhust.exe
PID 1796 wrote to memory of 1752	1796	svhust.exe	svhust.exe
PID 1796 wrote to memory of 1752	1796	svhust.exe	svhust.exe
PID 1796 wrote to memory of 1308	1796	svhust.exe	svhust.exe
PID 1796 wrote to memory of 1308	1796	svhust.exe	svhust.exe
PID 1796 wrote to memory of 1308	1796	svhust.exe	svhust.exe
PID 1796 wrote to memory of 1308	1796	svhust.exe	svhust.exe

C:\Users\Admin\AppData\Local\Temp\99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
"C:\Users\Admin\AppData\Local\Temp\99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe
"C:\Users\Admin\AppData\Local\Temp\99e0cec73721a7939f991571ed4c3a7a659410db6039d7fc3abc67e580542fbf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUTXL.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svhust" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhust\svhust.exe" /f
4⤵
- Adds Run key to start application
PID:1976

C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
"C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
"C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:268

C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
"C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Roaming\AdobeART.exe
"C:\Users\Admin\AppData\Roaming\AdobeART.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Roaming\AdobeART.exe
"C:\Users\Admin\AppData\Roaming\AdobeART.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
"C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
"C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
"C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308

C:\Users\Admin\AppData\Roaming\AdobeART.exe
"C:\Users\Admin\AppData\Roaming\AdobeART.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1208

C:\Users\Admin\AppData\Roaming\AdobeART.exe
"C:\Users\Admin\AppData\Roaming\AdobeART.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:588

C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
"C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
"C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1488

C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
"C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
12⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XUTXL.bat

Filesize
141B

MD5
e83a2e0b3c1e03dfb96ffd9924117a45

SHA1
27a3e4ba115ba1bad0bf094f5b97e768d1ece33e

SHA256
655407d94fff9e707712a588d97a2017cc1c9d690a67c688ed0abcb79e452b13

SHA512
5f61686a3b7db3544d83a4f2ce1a75868c7dc266709f72a34eafecc3a26696a985b1912a559aed8f5a2cacbfe26be9beae2374340d1801bb18473de785557480

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeART.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeART.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeART.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeART.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeART.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeART.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
\Users\Admin\AppData\Roaming\AdobeART.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
\Users\Admin\AppData\Roaming\AdobeART.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
\Users\Admin\AppData\Roaming\AdobeART.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
152KB

MD5
6ed1076d9fcca4dee916b1cda4fc8a3f

SHA1
13b84de6fb1660e124b1f3518af752fe7b4d0dc7

SHA256
941f909bf67777977fe4670d8cda37f23b52ef679cbd1602828ab67a5ed2b308

SHA512
99b433716804a7e42091a06fd97b35f46c5a0901c238c2ed1eb354d0587bc8dc9c623332455bbeb6896b46edf0c68842a9c04ac6e22eaf592dbb57db8b69f573

Download Submit
memory/268-90-0x00000000004085D0-mapping.dmp

Download
memory/268-254-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/268-114-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/528-78-0x0000000000000000-mapping.dmp

Download
memory/528-82-0x00000000002CC000-0x00000000002D3000-memory.dmp

Filesize
28KB

Download
memory/588-213-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/588-206-0x00000000004085D0-mapping.dmp

Download
memory/588-249-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1120-111-0x0000000000000000-mapping.dmp

Download
memory/1152-112-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1152-98-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1152-95-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1152-93-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1152-253-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1152-100-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1152-102-0x0000000000412D20-mapping.dmp

Download
memory/1152-107-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1152-108-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1208-193-0x0000000000000000-mapping.dmp

Download
memory/1208-198-0x000000000050C000-0x0000000000513000-memory.dmp

Filesize
28KB

Download
memory/1212-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1212-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1212-65-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1212-63-0x00000000004085D0-mapping.dmp

Download
memory/1212-66-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1212-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1212-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1212-69-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1212-70-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1212-106-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1272-71-0x0000000000000000-mapping.dmp

Download
memory/1308-194-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1308-191-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1308-190-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1308-185-0x0000000000412D20-mapping.dmp

Download
memory/1332-251-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1332-257-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1332-243-0x0000000000412D20-mapping.dmp

Download
memory/1488-231-0x00000000004085D0-mapping.dmp

Download
memory/1488-250-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1488-256-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1752-173-0x00000000004085D0-mapping.dmp

Download
memory/1752-255-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1752-214-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1752-56-0x00000000008CD000-0x00000000008D4000-memory.dmp

Filesize
28KB

Download
memory/1796-166-0x00000000004EC000-0x00000000004F3000-memory.dmp

Filesize
28KB

Download
memory/1796-162-0x0000000000000000-mapping.dmp

Download
memory/1860-220-0x0000000000000000-mapping.dmp

Download
memory/1976-73-0x0000000000000000-mapping.dmp

Download
memory/2024-158-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2024-149-0x00000000004085D0-mapping.dmp

Download
memory/2024-188-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download