52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56

max time kernel
81s
max time network
185s
platform
windows10-1703_x64
resource
win10-20220901-de
resource tags

arch:x64arch:x86image:win10-20220901-delocale:de-deos:windows10-1703-x64systemwindows
submitted
26-11-2022 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fucker script.exe
Size

104KB
MD5

db0655efbe0dbdef1df06207f5cb5b5b
SHA1

a8d48d5c0042ce359178d018c0873e8a7c2f27e8
SHA256

52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56
SHA512

5adc8463c3e148a66f8afdeefc31f2b3ffeb12b7641584d1d24306b0898da60a8b9b948bb4f9b7d693185f2daa9bd9437b3b84cebc0eabfa84dfcef6938e1704
SSDEEP

1536:m5iT3FccnYWkyjWpOku3yUyJCbyVAvy7+fRo:3LOcxkyjW3wvHq

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe

Drops file in Windows directory 3 IoCs

Processes:

explorer.exeSearchUI.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4032412167\2900507189.pri	explorer.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe

Modifies registry class 27 IoCs

Processes:

SearchUI.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

4612 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exevlc.exe

pid process

3152 explorer.exe
4612 vlc.exe

pid	process
4612	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

unregmp2.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	2176	unregmp2.exe
Token: SeCreatePagefilePrivilege	2176	unregmp2.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

helppane.exeexplorer.exe

pid	process
1432	helppane.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exe

pid	process
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

helppane.exeexplorer.exeSearchUI.exevlc.exe

pid process

1432 helppane.exe
1432 helppane.exe
3152 explorer.exe
2352 SearchUI.exe
4612 vlc.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

wmplayer.exeunregmp2.exeexplorer.exewmplayer.exe

description	pid	process	target process
PID 4580 wrote to memory of 4100	4580	wmplayer.exe	setup_wm.exe
PID 4580 wrote to memory of 4100	4580	wmplayer.exe	setup_wm.exe
PID 4580 wrote to memory of 4100	4580	wmplayer.exe	setup_wm.exe
PID 4580 wrote to memory of 1580	4580	wmplayer.exe	unregmp2.exe
PID 4580 wrote to memory of 1580	4580	wmplayer.exe	unregmp2.exe
PID 4580 wrote to memory of 1580	4580	wmplayer.exe	unregmp2.exe
PID 1580 wrote to memory of 2176	1580	unregmp2.exe	unregmp2.exe
PID 1580 wrote to memory of 2176	1580	unregmp2.exe	unregmp2.exe
PID 3152 wrote to memory of 5100	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 5100	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 4612	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 4612	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 4512	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 4512	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 4420	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 4420	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 3276	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 3276	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 3432	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 3432	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 3336	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 3336	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 756	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 756	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 4292	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 4292	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 3748	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 3748	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 4664	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 4664	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 2220	3152	explorer.exe	vlc.exe
PID 3152 wrote to memory of 2220	3152	explorer.exe	vlc.exe
PID 3612 wrote to memory of 1876	3612	wmplayer.exe	setup_wm.exe
PID 3612 wrote to memory of 1876	3612	wmplayer.exe	setup_wm.exe
PID 3612 wrote to memory of 1876	3612	wmplayer.exe	setup_wm.exe

C:\Users\Admin\AppData\Local\Temp\fucker script.exe
"C:\Users\Admin\AppData\Local\Temp\fucker script.exe"
1⤵
PID:4588

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Enqueue -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Enqueue -Embedding
2⤵
PID:4100

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\System32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Videos'
1⤵
PID:4064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:428

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:4052

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\d035dff4ed404c3ba71a889cca54764e /t 1936 /p 2108
1⤵
PID:3080

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PublishInitialize.mid"
2⤵
PID:5100

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ReceiveOpen.html"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4612

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RedoReset.raw"
2⤵
PID:4512

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\BackupConnect.WTV"
2⤵
PID:4420

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConvertRestore.AAC"
2⤵
PID:3432

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CompressExport.pdf"
2⤵
PID:3276

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnlockUnpublish.tmp"
2⤵
PID:3336

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Desktop\VLC media player.lnk"
2⤵
PID:756

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Desktop\Firefox.lnk"
2⤵
PID:4292

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Desktop\Google Chrome.lnk"
2⤵
PID:3748

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\JoinOptimize.jpeg"
2⤵
PID:2220

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EnterExit.pps"
2⤵
PID:4664

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2352

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
2⤵
PID:1876

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\PublishInitialize.mid
3⤵
PID:3308

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\67067b3f81e54e799b2751e08273f235 /t 816 /p 3152
1⤵
PID:2364

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
1⤵
PID:4200

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
1024KB

MD5
9622d0aca5edf3839b7ce153267d03cd

SHA1
a943c79b0aa4ae21cedcf39be2c54e2c10f722fc

SHA256
8dc8017a83c4761d51492cade234d380bea5590a08412133fd4c2cd3745a9a1f

SHA512
cc5115bd702c0cf3264c654e092b73b97f930bde9008c47536cce9b0a495e0831281a6513d50cc29365033b6956fd6f327a46c977386238336b5d27fbcbd815d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
Filesize
68KB

MD5
282a03ea99bae332e110a1827ab4187a

SHA1
265a0c09819dc5e7903880b0dba32e28af44e060

SHA256
d295f3351f25056f551409e640d10baac7e2a74f030b0eee385a2dc1adeb46a6

SHA512
f8d0084b28287b167424c57391ec51fc2836c52cf90794aa3893b9996f4172394ea539b8d0cfe64e6cf763763d53cfbbdeb8ba6b83448384223e2c88e977b720

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
1KB

MD5
f8fec272b642d7fb3dbb95be444bc93c

SHA1
36469822ce44a4674c125cf2e0ffa93cad7247a0

SHA256
0ad986c017b233dc14869eb763d468d8a3bac0cff44a5eec65f1545486ff19a6

SHA512
d20e01e59dfab25f2799f7fcd16787189a7c650076a827b254d7e8d8c9e2a7bdbfb225f21ffdb0be718bee93c438f3e4f2a8325c6c8515db60afbed8bd37948f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
2KB

MD5
eeaa595f9d67db2c415fb7ec5104b165

SHA1
cc4af1c77b673d393fee278bd7987bab616cb896

SHA256
888910a7e9246da0d73ad4ef5701a34683646a2c4583e26a8d14cecfc36eeb83

SHA512
ae708a6eb47af03b5d821e4b0d292132424981a821a1794e7d1d3fd46b04b4262ada37ddc170de7ad91687b37695c874e3c5ac4fbc9b364fa0e8fdb312c2c830

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize
1KB

MD5
fce3eaba8d8a4529cc62d3dc528afbfd

SHA1
0b523855474d5890cfd3057ca935238b5ad4a4e7

SHA256
d02961fdf729aea5a19b547a96f6ba610538e71fb8993ec0009e84ba6e002e0c

SHA512
120be311e8291980e00f3dbfd97a68e80f61bc4b9712673f0538eb4b2c4accb4c176d2512f3f8ef6eef56351a8c87143f4a74242cc5a5b79cd8c53eaf3b4691d

Download Submit
memory/756-344-0x0000000000000000-mapping.dmp

Download
memory/1580-185-0x0000000000000000-mapping.dmp

Download
memory/1876-390-0x0000000000000000-mapping.dmp

Download
memory/2176-277-0x0000000000000000-mapping.dmp

Download
memory/2220-348-0x0000000000000000-mapping.dmp

Download
memory/3276-341-0x0000000000000000-mapping.dmp

Download
memory/3308-491-0x0000000000000000-mapping.dmp

Download
memory/3336-343-0x0000000000000000-mapping.dmp

Download
memory/3432-342-0x0000000000000000-mapping.dmp

Download
memory/3748-346-0x0000000000000000-mapping.dmp

Download
memory/4100-184-0x0000000000000000-mapping.dmp

Download
memory/4292-345-0x0000000000000000-mapping.dmp

Download
memory/4420-339-0x0000000000000000-mapping.dmp

Download
memory/4512-338-0x0000000000000000-mapping.dmp

Download
memory/4580-182-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-172-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-183-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-181-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-143-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-144-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-145-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-146-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-147-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-148-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-149-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-150-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-151-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-152-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-153-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-154-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-156-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-155-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-157-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-158-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-159-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-160-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-161-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-162-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-164-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-163-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-165-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-166-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-167-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-168-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-169-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-171-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-170-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-180-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-173-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-174-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-175-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-176-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-177-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-178-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4580-179-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-128-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-120-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-132-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-131-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-139-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-138-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-137-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-136-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-135-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-134-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-133-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-122-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-121-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-142-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-141-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-130-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-123-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-129-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-140-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-127-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-126-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-125-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-124-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-337-0x0000000000000000-mapping.dmp

Download
memory/4664-347-0x0000000000000000-mapping.dmp

Download
memory/5100-336-0x0000000000000000-mapping.dmp

Download