hawkeye | c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1

Analysis

max time kernel
186s
max time network
188s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
Size

723KB
MD5

697032b609cad099ec3b347bd0f34cb3
SHA1

fc98b5aa7ca186ae9e0dea133438c5e15f3fd077
SHA256

c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
SHA512

700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0
SSDEEP

12288:4vsfrEOhNBJksGrtIgmu6H5F/XunkwDxnYKCw9vweJ2F/MVXxSlM:5EOjBJfG2gm/unkwRYa9v3cFw

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.ru
Port:
587
Username:
[email protected]
Password:
general123

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 19 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1140-60-0x0000000000080000-0x000000000010C000-memory.dmp	MailPassView
behavioral1/memory/1140-62-0x0000000000080000-0x000000000010C000-memory.dmp	MailPassView
behavioral1/memory/1140-64-0x00000000004859AE-mapping.dmp	MailPassView
behavioral1/memory/1140-65-0x0000000000080000-0x000000000010C000-memory.dmp	MailPassView
behavioral1/memory/1140-66-0x0000000000080000-0x000000000010C000-memory.dmp	MailPassView
behavioral1/memory/1140-70-0x0000000000080000-0x000000000010C000-memory.dmp	MailPassView
behavioral1/memory/1140-73-0x0000000000080000-0x000000000010C000-memory.dmp	MailPassView
behavioral1/memory/1084-82-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1084-83-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1084-86-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1084-88-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1084-103-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2008-120-0x00000000004859AE-mapping.dmp	MailPassView
behavioral1/memory/2008-123-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/2008-125-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/980-146-0x00000000004859AE-mapping.dmp	MailPassView
behavioral1/memory/980-148-0x00000000001E0000-0x000000000026C000-memory.dmp	MailPassView
behavioral1/memory/980-152-0x00000000001E0000-0x000000000026C000-memory.dmp	MailPassView
behavioral1/memory/980-155-0x00000000001E0000-0x000000000026C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 19 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1140-60-0x0000000000080000-0x000000000010C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1140-62-0x0000000000080000-0x000000000010C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1140-64-0x00000000004859AE-mapping.dmp	WebBrowserPassView
behavioral1/memory/1140-65-0x0000000000080000-0x000000000010C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1140-66-0x0000000000080000-0x000000000010C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1140-70-0x0000000000080000-0x000000000010C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1140-73-0x0000000000080000-0x000000000010C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1260-97-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1260-98-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/1260-101-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1260-102-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1260-104-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/2008-120-0x00000000004859AE-mapping.dmp	WebBrowserPassView
behavioral1/memory/2008-123-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/2008-125-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/980-146-0x00000000004859AE-mapping.dmp	WebBrowserPassView
behavioral1/memory/980-148-0x00000000001E0000-0x000000000026C000-memory.dmp	WebBrowserPassView
behavioral1/memory/980-152-0x00000000001E0000-0x000000000026C000-memory.dmp	WebBrowserPassView
behavioral1/memory/980-155-0x00000000001E0000-0x000000000026C000-memory.dmp	WebBrowserPassView

Nirsoft 24 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1140-60-0x0000000000080000-0x000000000010C000-memory.dmp	Nirsoft
behavioral1/memory/1140-62-0x0000000000080000-0x000000000010C000-memory.dmp	Nirsoft
behavioral1/memory/1140-64-0x00000000004859AE-mapping.dmp	Nirsoft
behavioral1/memory/1140-65-0x0000000000080000-0x000000000010C000-memory.dmp	Nirsoft
behavioral1/memory/1140-66-0x0000000000080000-0x000000000010C000-memory.dmp	Nirsoft
behavioral1/memory/1140-70-0x0000000000080000-0x000000000010C000-memory.dmp	Nirsoft
behavioral1/memory/1140-73-0x0000000000080000-0x000000000010C000-memory.dmp	Nirsoft
behavioral1/memory/1084-82-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1084-83-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1084-86-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1084-88-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1260-97-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1260-98-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/1260-101-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1260-102-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1084-103-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1260-104-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2008-120-0x00000000004859AE-mapping.dmp	Nirsoft
behavioral1/memory/2008-123-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/2008-125-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/980-146-0x00000000004859AE-mapping.dmp	Nirsoft
behavioral1/memory/980-148-0x00000000001E0000-0x000000000026C000-memory.dmp	Nirsoft
behavioral1/memory/980-152-0x00000000001E0000-0x000000000026C000-memory.dmp	Nirsoft
behavioral1/memory/980-155-0x00000000001E0000-0x000000000026C000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

LookupSvi.exesecdrv.exesecdrv.exeLookupSvi.exeLookupSvi.exe

pid process

1764 LookupSvi.exe
332 secdrv.exe
2008 secdrv.exe
976 LookupSvi.exe
1364 LookupSvi.exe
Loads dropped DLL 4 IoCs

Processes:

c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exeLookupSvi.exesecdrv.exetakshost.exe

pid process

536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1764 LookupSvi.exe
332 secdrv.exe
1924 takshost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1764	LookupSvi.exe
332	secdrv.exe
2008	secdrv.exe
976	LookupSvi.exe
1364	LookupSvi.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

LookupSvi.exeLookupSvi.exeLookupSvi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com
7 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exec52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exesecdrv.exetakshost.exe

description	pid	process	target process
PID 536 set thread context of 1140	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
PID 1140 set thread context of 1084	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 set thread context of 1260	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 332 set thread context of 2008	332	secdrv.exe	secdrv.exe
PID 1924 set thread context of 980	1924	takshost.exe	takshost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exec52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exeLookupSvi.exesecdrv.exe

pid	process
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1764	LookupSvi.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1764	LookupSvi.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1764	LookupSvi.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1764	LookupSvi.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1764	LookupSvi.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1764	LookupSvi.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1764	LookupSvi.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1764	LookupSvi.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1764	LookupSvi.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1764	LookupSvi.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1764	LookupSvi.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1764	LookupSvi.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
332	secdrv.exe
332	secdrv.exe
332	secdrv.exe
332	secdrv.exe
332	secdrv.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe

pid process

536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exeLookupSvi.exec52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exesecdrv.exeLookupSvi.exetakshost.exeLookupSvi.exe

description	pid	process
Token: SeDebugPrivilege	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
Token: SeDebugPrivilege	1764	LookupSvi.exe
Token: SeDebugPrivilege	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
Token: SeDebugPrivilege	332	secdrv.exe
Token: SeDebugPrivilege	976	LookupSvi.exe
Token: SeDebugPrivilege	1924	takshost.exe
Token: SeDebugPrivilege	1364	LookupSvi.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe

pid process

1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe

pid	process
1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exec52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exeLookupSvi.exesecdrv.exetakshost.exe

description	pid	process	target process
PID 536 wrote to memory of 1140	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
PID 536 wrote to memory of 1140	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
PID 536 wrote to memory of 1140	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
PID 536 wrote to memory of 1140	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
PID 536 wrote to memory of 1140	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
PID 536 wrote to memory of 1140	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
PID 536 wrote to memory of 1140	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
PID 536 wrote to memory of 1140	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
PID 536 wrote to memory of 1140	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
PID 536 wrote to memory of 1764	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	LookupSvi.exe
PID 536 wrote to memory of 1764	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	LookupSvi.exe
PID 536 wrote to memory of 1764	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	LookupSvi.exe
PID 536 wrote to memory of 1764	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	LookupSvi.exe
PID 1140 wrote to memory of 1084	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1084	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1084	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1084	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1084	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1084	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1084	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1084	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1084	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1084	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1764 wrote to memory of 332	1764	LookupSvi.exe	secdrv.exe
PID 1764 wrote to memory of 332	1764	LookupSvi.exe	secdrv.exe
PID 1764 wrote to memory of 332	1764	LookupSvi.exe	secdrv.exe
PID 1764 wrote to memory of 332	1764	LookupSvi.exe	secdrv.exe
PID 1140 wrote to memory of 1260	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1260	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1260	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1260	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1260	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1260	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1260	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1260	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1260	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 1140 wrote to memory of 1260	1140	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	vbc.exe
PID 536 wrote to memory of 1924	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	takshost.exe
PID 536 wrote to memory of 1924	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	takshost.exe
PID 536 wrote to memory of 1924	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	takshost.exe
PID 536 wrote to memory of 1924	536	c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe	takshost.exe
PID 332 wrote to memory of 2008	332	secdrv.exe	secdrv.exe
PID 332 wrote to memory of 2008	332	secdrv.exe	secdrv.exe
PID 332 wrote to memory of 2008	332	secdrv.exe	secdrv.exe
PID 332 wrote to memory of 2008	332	secdrv.exe	secdrv.exe
PID 332 wrote to memory of 2008	332	secdrv.exe	secdrv.exe
PID 332 wrote to memory of 2008	332	secdrv.exe	secdrv.exe
PID 332 wrote to memory of 2008	332	secdrv.exe	secdrv.exe
PID 332 wrote to memory of 2008	332	secdrv.exe	secdrv.exe
PID 332 wrote to memory of 2008	332	secdrv.exe	secdrv.exe
PID 332 wrote to memory of 976	332	secdrv.exe	LookupSvi.exe
PID 332 wrote to memory of 976	332	secdrv.exe	LookupSvi.exe
PID 332 wrote to memory of 976	332	secdrv.exe	LookupSvi.exe
PID 332 wrote to memory of 976	332	secdrv.exe	LookupSvi.exe
PID 1924 wrote to memory of 980	1924	takshost.exe	takshost.exe
PID 1924 wrote to memory of 980	1924	takshost.exe	takshost.exe
PID 1924 wrote to memory of 980	1924	takshost.exe	takshost.exe
PID 1924 wrote to memory of 980	1924	takshost.exe	takshost.exe
PID 1924 wrote to memory of 980	1924	takshost.exe	takshost.exe
PID 1924 wrote to memory of 980	1924	takshost.exe	takshost.exe
PID 1924 wrote to memory of 980	1924	takshost.exe	takshost.exe
PID 1924 wrote to memory of 980	1924	takshost.exe	takshost.exe
PID 1924 wrote to memory of 980	1924	takshost.exe	takshost.exe
PID 1924 wrote to memory of 1364	1924	takshost.exe	LookupSvi.exe

C:\Users\Admin\AppData\Local\Temp\c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
"C:\Users\Admin\AppData\Local\Temp\c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
"C:\Users\Admin\AppData\Local\Temp\c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:1084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:1260

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
4⤵
- Executes dropped EXE
PID:2008

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
3⤵
PID:980

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
9KB

MD5
f370aafe6181754b110816a54e38082a

SHA1
298d4d3309d74fcab8bc2906564ede1c62c07910

SHA256
55f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50

SHA512
c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
9KB

MD5
f370aafe6181754b110816a54e38082a

SHA1
298d4d3309d74fcab8bc2906564ede1c62c07910

SHA256
55f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50

SHA512
c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
9KB

MD5
f370aafe6181754b110816a54e38082a

SHA1
298d4d3309d74fcab8bc2906564ede1c62c07910

SHA256
55f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50

SHA512
c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
9KB

MD5
f370aafe6181754b110816a54e38082a

SHA1
298d4d3309d74fcab8bc2906564ede1c62c07910

SHA256
55f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50

SHA512
c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
9KB

MD5
f370aafe6181754b110816a54e38082a

SHA1
298d4d3309d74fcab8bc2906564ede1c62c07910

SHA256
55f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50

SHA512
c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
9KB

MD5
f370aafe6181754b110816a54e38082a

SHA1
298d4d3309d74fcab8bc2906564ede1c62c07910

SHA256
55f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50

SHA512
c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
723KB

MD5
697032b609cad099ec3b347bd0f34cb3

SHA1
fc98b5aa7ca186ae9e0dea133438c5e15f3fd077

SHA256
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1

SHA512
700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
723KB

MD5
697032b609cad099ec3b347bd0f34cb3

SHA1
fc98b5aa7ca186ae9e0dea133438c5e15f3fd077

SHA256
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1

SHA512
700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
723KB

MD5
697032b609cad099ec3b347bd0f34cb3

SHA1
fc98b5aa7ca186ae9e0dea133438c5e15f3fd077

SHA256
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1

SHA512
700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt
Filesize
4B

MD5
8248a99e81e752cb9b41da3fc43fbe7f

SHA1
715e82fa3b623c04f4eb343985dbbe7555a0be99

SHA256
bc10b57514d76124b4120a34db2224067fed660b09408ade0b14b582946ff2fc

SHA512
57f76d63385c4ee826f2332324196edf452b9fa77367bbc48737af9dee06d161cb5cf92791121b0c6932703821a59795c5019370760c4a331d7a03cb5567c614

Download Submit
C:\Users\Admin\AppData\Roaming\pidloc.txt
Filesize
102B

MD5
07f6f1b0205f03d0642d0b1aa68ec84e

SHA1
aea923df4c48aaada4fb12e01fb2cea9f0d578fb

SHA256
28c67af2759d30b3a03140ad3b86cbe8eacc5e0ebecd0bebec0c226165a830d6

SHA512
1a09bfd65bbf5f8f5b71e8518705ed15f59de3cefb24627ac41aa97577d80df9d9b17c1b3c667530d14dc0a7c034085127bceb55a2415a20324eedaee7e0c086

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
9KB

MD5
f370aafe6181754b110816a54e38082a

SHA1
298d4d3309d74fcab8bc2906564ede1c62c07910

SHA256
55f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50

SHA512
c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
9KB

MD5
f370aafe6181754b110816a54e38082a

SHA1
298d4d3309d74fcab8bc2906564ede1c62c07910

SHA256
55f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50

SHA512
c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
9KB

MD5
f370aafe6181754b110816a54e38082a

SHA1
298d4d3309d74fcab8bc2906564ede1c62c07910

SHA256
55f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50

SHA512
c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
723KB

MD5
697032b609cad099ec3b347bd0f34cb3

SHA1
fc98b5aa7ca186ae9e0dea133438c5e15f3fd077

SHA256
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1

SHA512
700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0

Download Submit
memory/332-136-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/332-107-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/332-94-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/332-91-0x0000000000000000-mapping.dmp

Download
memory/536-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/536-55-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/536-111-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/536-56-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/976-128-0x0000000000000000-mapping.dmp

Download
memory/976-137-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/976-134-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/980-163-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/980-165-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/980-155-0x00000000001E0000-0x000000000026C000-memory.dmp

Filesize
560KB

Download
memory/980-152-0x00000000001E0000-0x000000000026C000-memory.dmp

Filesize
560KB

Download
memory/980-148-0x00000000001E0000-0x000000000026C000-memory.dmp

Filesize
560KB

Download
memory/980-146-0x00000000004859AE-mapping.dmp

Download
memory/1084-103-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1084-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1084-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1084-83-0x0000000000411654-mapping.dmp

Download
memory/1084-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1140-60-0x0000000000080000-0x000000000010C000-memory.dmp

Filesize
560KB

Download
memory/1140-87-0x0000000000495000-0x00000000004A6000-memory.dmp

Filesize
68KB

Download
memory/1140-57-0x0000000000080000-0x000000000010C000-memory.dmp

Filesize
560KB

Download
memory/1140-70-0x0000000000080000-0x000000000010C000-memory.dmp

Filesize
560KB

Download
memory/1140-66-0x0000000000080000-0x000000000010C000-memory.dmp

Filesize
560KB

Download
memory/1140-80-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1140-58-0x0000000000080000-0x000000000010C000-memory.dmp

Filesize
560KB

Download
memory/1140-65-0x0000000000080000-0x000000000010C000-memory.dmp

Filesize
560KB

Download
memory/1140-73-0x0000000000080000-0x000000000010C000-memory.dmp

Filesize
560KB

Download
memory/1140-95-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1140-64-0x00000000004859AE-mapping.dmp

Download
memory/1140-62-0x0000000000080000-0x000000000010C000-memory.dmp

Filesize
560KB

Download
memory/1140-106-0x0000000000495000-0x00000000004A6000-memory.dmp

Filesize
68KB

Download
memory/1260-104-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1260-101-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1260-98-0x0000000000442628-mapping.dmp

Download
memory/1260-102-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1260-97-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1364-166-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1364-158-0x0000000000000000-mapping.dmp

Download
memory/1364-164-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1764-96-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1764-76-0x0000000000000000-mapping.dmp

Download
memory/1764-81-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1764-108-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-135-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-112-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-109-0x0000000000000000-mapping.dmp

Download
memory/2008-138-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-133-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-125-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2008-123-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2008-120-0x00000000004859AE-mapping.dmp

Download