6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b

Analysis

max time kernel
156s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Size

471KB
MD5

25892ea00e7495810a766fbe47b70c94
SHA1

6b5e9174d9416a9cf9d9df9fb427d307fb504cfa
SHA256

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b
SHA512

b9335ce8ffcb79454b8c199b9c4e7a89b955d9f4eafa85715c183dd0ff2acec4ff881ec57811ed5ff28d284c301846515b7ab75deaa004607e998f1befdfa833
SSDEEP

12288:NRI+MKzQ6ryInvu23sQZtHW1K3Dnsvm6DrY7M:TIQQ6ryInGqsQZtHW4DsbnYw

Score

8^/10

bootkit discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

wininit.exemibao.exewininit.exe

pid process

520 wininit.exe
1304 mibao.exe
1068 wininit.exe

pid	process
520	wininit.exe
1304	mibao.exe
1068	wininit.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2032-59-0x00000000002B0000-0x00000000002C0000-memory.dmp	upx
behavioral1/memory/2032-60-0x00000000002B0000-0x00000000002C0000-memory.dmp	upx
behavioral1/memory/520-70-0x0000000000290000-0x00000000002A0000-memory.dmp	upx
behavioral1/memory/520-75-0x0000000000290000-0x00000000002A0000-memory.dmp	upx
behavioral1/memory/2032-77-0x00000000002B0000-0x00000000002C0000-memory.dmp	upx
behavioral1/memory/1304-85-0x0000000000520000-0x0000000000530000-memory.dmp	upx
behavioral1/memory/1304-88-0x0000000000520000-0x0000000000530000-memory.dmp	upx
behavioral1/memory/1068-99-0x0000000000310000-0x0000000000320000-memory.dmp	upx
behavioral1/memory/520-102-0x0000000000290000-0x00000000002A0000-memory.dmp	upx
behavioral1/memory/1068-107-0x0000000000310000-0x0000000000320000-memory.dmp	upx
behavioral1/memory/1068-111-0x0000000000310000-0x0000000000320000-memory.dmp	upx
behavioral1/memory/1304-403-0x0000000000520000-0x0000000000530000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1680 cmd.exe

pid	process
1680	cmd.exe

Loads dropped DLL 10 IoCs

Processes:

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exemibao.exe

pid	process
2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
1304	mibao.exe
1304	mibao.exe
1304	mibao.exe
1304	mibao.exe
1304	mibao.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mibao.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	mibao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	mibao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uzedxue = "C:\\Users\\Admin\\AppData\\Roaming\\Lawa\\mibao.exe"	mibao.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

mibao.exewininit.exe6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exewininit.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	mibao.exe
File opened for modification	\??\PhysicalDrive0	wininit.exe
File opened for modification	\??\PhysicalDrive0	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
File opened for modification	\??\PhysicalDrive0	wininit.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe

description	pid	process	target process
PID 2032 set thread context of 1680	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe

Modifies registry class 47 IoCs

Processes:

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exemibao.exewininit.exewininit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\Programmable	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\ = "dtsh 1.0 Type Library"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	mibao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	wininit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	mibao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\InprocServer32	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\0	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\0\win32	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\dtsh.dll"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\TypeLib\ = "{2EC3C1EE-D17A-A429-1689-7618132AD539}"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\VersionIndependentProgID\ = "LocationDisp.DispLatLongReport"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\ = "Osinijjok Class"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\ProgID\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\VersionIndependentProgID\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\TypeLib\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\VersionIndependentProgID	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\Programmable\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\0\win64\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\HELPDIR	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\ProgID\ = "LocationDisp.DispLatLongReport.1"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\0\win32\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\FLAGS\ = "0"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\HELPDIR\ = "%SystemRoot%\\SysWow64\\"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\TypeLib	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\InprocServer32\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\InprocServer32\ = "%SystemRoot%\\SysWow64\\LocationApi.dll"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\HELPDIR\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	mibao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CEE461D-26C7-44CF-A182-1D87769DFE69}\ProgID	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\FLAGS\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	wininit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\0\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\0\win64	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\0\win64\ = "%SystemRoot%\\SysWow64\\dtsh.dll"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2EC3C1EE-D17A-A429-1689-7618132AD539}\1.0\FLAGS	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	wininit.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\00B3019E-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exewininit.exemibao.exewininit.exe

pid	process
2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
520	wininit.exe
520	wininit.exe
520	wininit.exe
520	wininit.exe
520	wininit.exe
520	wininit.exe
520	wininit.exe
1304	mibao.exe
1304	mibao.exe
520	wininit.exe
1068	wininit.exe
1068	wininit.exe
520	wininit.exe
1304	mibao.exe
520	wininit.exe
520	wininit.exe
520	wininit.exe
520	wininit.exe
520	wininit.exe
520	wininit.exe
520	wininit.exe
520	wininit.exe
520	wininit.exe
1304	mibao.exe
1304	mibao.exe
520	wininit.exe
520	wininit.exe
520	wininit.exe
1304	mibao.exe
520	wininit.exe
1304	mibao.exe
520	wininit.exe
520	wininit.exe
1304	mibao.exe
1304	mibao.exe
520	wininit.exe
520	wininit.exe
1304	mibao.exe
520	wininit.exe
520	wininit.exe
1304	mibao.exe
520	wininit.exe
520	wininit.exe
1304	mibao.exe
520	wininit.exe
520	wininit.exe
1304	mibao.exe
520	wininit.exe
520	wininit.exe
1304	mibao.exe
520	wininit.exe
520	wininit.exe
1304	mibao.exe
520	wininit.exe
520	wininit.exe
1304	mibao.exe
520	wininit.exe
520	wininit.exe
1304	mibao.exe
520	wininit.exe
520	wininit.exe
1304	mibao.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exeWinMail.exewininit.exe

description	pid	process
Token: SeSecurityPrivilege	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Token: SeSecurityPrivilege	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Token: SeSecurityPrivilege	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Token: SeSecurityPrivilege	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Token: SeSecurityPrivilege	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Token: SeSecurityPrivilege	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Token: SeSecurityPrivilege	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Token: SeSecurityPrivilege	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Token: SeManageVolumePrivilege	1736	WinMail.exe
Token: SeSecurityPrivilege	520	wininit.exe
Token: SeSecurityPrivilege	520	wininit.exe
Token: SeSecurityPrivilege	520	wininit.exe
Token: SeSecurityPrivilege	520	wininit.exe
Token: SeSecurityPrivilege	520	wininit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1736 WinMail.exe

pid	process
1736	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exemibao.exe

description	pid	process	target process
PID 2032 wrote to memory of 520	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	wininit.exe
PID 2032 wrote to memory of 520	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	wininit.exe
PID 2032 wrote to memory of 520	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	wininit.exe
PID 2032 wrote to memory of 520	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	wininit.exe
PID 2032 wrote to memory of 1304	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	mibao.exe
PID 2032 wrote to memory of 1304	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	mibao.exe
PID 2032 wrote to memory of 1304	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	mibao.exe
PID 2032 wrote to memory of 1304	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	mibao.exe
PID 1304 wrote to memory of 1068	1304	mibao.exe	wininit.exe
PID 1304 wrote to memory of 1068	1304	mibao.exe	wininit.exe
PID 1304 wrote to memory of 1068	1304	mibao.exe	wininit.exe
PID 1304 wrote to memory of 1068	1304	mibao.exe	wininit.exe
PID 1304 wrote to memory of 1128	1304	mibao.exe	taskhost.exe
PID 1304 wrote to memory of 1128	1304	mibao.exe	taskhost.exe
PID 1304 wrote to memory of 1128	1304	mibao.exe	taskhost.exe
PID 1304 wrote to memory of 1128	1304	mibao.exe	taskhost.exe
PID 1304 wrote to memory of 1128	1304	mibao.exe	taskhost.exe
PID 1304 wrote to memory of 1184	1304	mibao.exe	Dwm.exe
PID 1304 wrote to memory of 1184	1304	mibao.exe	Dwm.exe
PID 1304 wrote to memory of 1184	1304	mibao.exe	Dwm.exe
PID 1304 wrote to memory of 1184	1304	mibao.exe	Dwm.exe
PID 1304 wrote to memory of 1184	1304	mibao.exe	Dwm.exe
PID 1304 wrote to memory of 1212	1304	mibao.exe	Explorer.EXE
PID 1304 wrote to memory of 1212	1304	mibao.exe	Explorer.EXE
PID 1304 wrote to memory of 1212	1304	mibao.exe	Explorer.EXE
PID 1304 wrote to memory of 1212	1304	mibao.exe	Explorer.EXE
PID 1304 wrote to memory of 1212	1304	mibao.exe	Explorer.EXE
PID 1304 wrote to memory of 2032	1304	mibao.exe	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
PID 1304 wrote to memory of 2032	1304	mibao.exe	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
PID 1304 wrote to memory of 2032	1304	mibao.exe	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
PID 1304 wrote to memory of 2032	1304	mibao.exe	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
PID 1304 wrote to memory of 2032	1304	mibao.exe	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
PID 1304 wrote to memory of 520	1304	mibao.exe	wininit.exe
PID 1304 wrote to memory of 520	1304	mibao.exe	wininit.exe
PID 1304 wrote to memory of 520	1304	mibao.exe	wininit.exe
PID 1304 wrote to memory of 520	1304	mibao.exe	wininit.exe
PID 1304 wrote to memory of 520	1304	mibao.exe	wininit.exe
PID 1304 wrote to memory of 1736	1304	mibao.exe	WinMail.exe
PID 1304 wrote to memory of 1736	1304	mibao.exe	WinMail.exe
PID 1304 wrote to memory of 1736	1304	mibao.exe	WinMail.exe
PID 1304 wrote to memory of 1736	1304	mibao.exe	WinMail.exe
PID 1304 wrote to memory of 1736	1304	mibao.exe	WinMail.exe
PID 2032 wrote to memory of 1680	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	cmd.exe
PID 2032 wrote to memory of 1680	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	cmd.exe
PID 2032 wrote to memory of 1680	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	cmd.exe
PID 2032 wrote to memory of 1680	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	cmd.exe
PID 2032 wrote to memory of 1680	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	cmd.exe
PID 2032 wrote to memory of 1680	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	cmd.exe
PID 2032 wrote to memory of 1680	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	cmd.exe
PID 2032 wrote to memory of 1680	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	cmd.exe
PID 2032 wrote to memory of 1680	2032	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	cmd.exe
PID 1304 wrote to memory of 556	1304	mibao.exe	conhost.exe
PID 1304 wrote to memory of 556	1304	mibao.exe	conhost.exe
PID 1304 wrote to memory of 556	1304	mibao.exe	conhost.exe
PID 1304 wrote to memory of 556	1304	mibao.exe	conhost.exe
PID 1304 wrote to memory of 556	1304	mibao.exe	conhost.exe
PID 1304 wrote to memory of 1632	1304	mibao.exe	DllHost.exe
PID 1304 wrote to memory of 1632	1304	mibao.exe	DllHost.exe
PID 1304 wrote to memory of 1632	1304	mibao.exe	DllHost.exe
PID 1304 wrote to memory of 1632	1304	mibao.exe	DllHost.exe
PID 1304 wrote to memory of 1632	1304	mibao.exe	DllHost.exe
PID 1304 wrote to memory of 756	1304	mibao.exe	DllHost.exe
PID 1304 wrote to memory of 756	1304	mibao.exe	DllHost.exe
PID 1304 wrote to memory of 756	1304	mibao.exe	DllHost.exe

C:\Users\Admin\AppData\Local\Temp\6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
"C:\Users\Admin\AppData\Local\Temp\6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\wininit.exe
  C:\Users\Admin\AppData\Local\Temp\wininit.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Users\Admin\AppData\Roaming\Lawa\mibao.exe
  "C:\Users\Admin\AppData\Roaming\Lawa\mibao.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\wininit.exe
    C:\Users\Admin\AppData\Local\Temp\wininit.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp00bc0932.bat"
  2⤵
  - Deletes itself
  PID:1680

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "115323065322713390-1977309385194970933416910796253507951431581118628-267813925"
1⤵
PID:556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1632

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp00bc0932.bat

Filesize
307B

MD5
5aaf0f8ddb9e4dc44cb19cccf1bcf56b

SHA1
2c9ef2283cfe40bf3376c959e19a231ae89fdd7c

SHA256
ce947ee66a4f129b5e103646a53c123cc403520d903e961d37b746695d9091ae

SHA512
8388c00b3929c9934ef7dc78caf4a5b04f4fd8542dbfaa61aa72206bf6abafdff2d0931ecba221c8bd8ec40c7ad7c05ab84234430a2882e7a2f3f569692873f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
471KB

MD5
25892ea00e7495810a766fbe47b70c94

SHA1
6b5e9174d9416a9cf9d9df9fb427d307fb504cfa

SHA256
6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b

SHA512
b9335ce8ffcb79454b8c199b9c4e7a89b955d9f4eafa85715c183dd0ff2acec4ff881ec57811ed5ff28d284c301846515b7ab75deaa004607e998f1befdfa833

Download Submit
C:\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
471KB

MD5
25892ea00e7495810a766fbe47b70c94

SHA1
6b5e9174d9416a9cf9d9df9fb427d307fb504cfa

SHA256
6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b

SHA512
b9335ce8ffcb79454b8c199b9c4e7a89b955d9f4eafa85715c183dd0ff2acec4ff881ec57811ed5ff28d284c301846515b7ab75deaa004607e998f1befdfa833

Download Submit
C:\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
471KB

MD5
25892ea00e7495810a766fbe47b70c94

SHA1
6b5e9174d9416a9cf9d9df9fb427d307fb504cfa

SHA256
6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b

SHA512
b9335ce8ffcb79454b8c199b9c4e7a89b955d9f4eafa85715c183dd0ff2acec4ff881ec57811ed5ff28d284c301846515b7ab75deaa004607e998f1befdfa833

Download Submit
C:\Users\Admin\AppData\Roaming\Lawa\mibao.exe

Filesize
471KB

MD5
cdd316d0385ab45929829b2d9be5a818

SHA1
8d9be42f172af3882a9a5aa9c56606466d2e629c

SHA256
7099203cb07b91088425404c6ab383ccef52aeeb0e63e70e99f786811a065052

SHA512
2665f692a8517d585c84b2cdf216ee77d7e836bcb2750a0e08a0a6aeded0ca10f8c53ebdcc7f64f1f6c5fb43ce5c8096d4b73674b0b2c38d67e2ff402f9a8382

Download Submit
C:\Users\Admin\AppData\Roaming\Lawa\mibao.exe

Filesize
471KB

MD5
cdd316d0385ab45929829b2d9be5a818

SHA1
8d9be42f172af3882a9a5aa9c56606466d2e629c

SHA256
7099203cb07b91088425404c6ab383ccef52aeeb0e63e70e99f786811a065052

SHA512
2665f692a8517d585c84b2cdf216ee77d7e836bcb2750a0e08a0a6aeded0ca10f8c53ebdcc7f64f1f6c5fb43ce5c8096d4b73674b0b2c38d67e2ff402f9a8382

Download Submit
C:\Users\Admin\AppData\Roaming\Pytego\vunea.oqk

Filesize
4KB

MD5
260d8aae9b8142a47e966846a04f3dd6

SHA1
6c0799f6ade803845de5c2a7592d314a5967a41a

SHA256
beebd3ba20dbc8f2a7de959db078431803e4b4336c3050c1e6f0748cec814d08

SHA512
ae5a7790277f9b22f2158d01bd313dc24e122857d5fba2e763f3aeb6c0b00ef09119c0a4ba125f41ab2271d32488abfee2d5d600ad8e2199c76330a710cddd15

Download Submit
\Users\Admin\AppData\Local\Temp\kernel45.dll

Filesize
10KB

MD5
28a57355d9583b66e51ad978384c159e

SHA1
b8fe4ddb6187cdee0e89c02bab4a104f406d16da

SHA256
81ed76156df0de1caae6730a091f29978493881b54a2d6fbfb43c47153b6fadd

SHA512
991a288ed0f033eb8f54e567a6264a6111f795bd61a1cd600e210730d7ed39c89e735480dc6f0e4026eafad730ae8dc23ec7bc7600a14a2ac9d652638c02ee3e

Download Submit
\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
471KB

MD5
25892ea00e7495810a766fbe47b70c94

SHA1
6b5e9174d9416a9cf9d9df9fb427d307fb504cfa

SHA256
6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b

SHA512
b9335ce8ffcb79454b8c199b9c4e7a89b955d9f4eafa85715c183dd0ff2acec4ff881ec57811ed5ff28d284c301846515b7ab75deaa004607e998f1befdfa833

Download Submit
\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
471KB

MD5
25892ea00e7495810a766fbe47b70c94

SHA1
6b5e9174d9416a9cf9d9df9fb427d307fb504cfa

SHA256
6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b

SHA512
b9335ce8ffcb79454b8c199b9c4e7a89b955d9f4eafa85715c183dd0ff2acec4ff881ec57811ed5ff28d284c301846515b7ab75deaa004607e998f1befdfa833

Download Submit
\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
471KB

MD5
25892ea00e7495810a766fbe47b70c94

SHA1
6b5e9174d9416a9cf9d9df9fb427d307fb504cfa

SHA256
6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b

SHA512
b9335ce8ffcb79454b8c199b9c4e7a89b955d9f4eafa85715c183dd0ff2acec4ff881ec57811ed5ff28d284c301846515b7ab75deaa004607e998f1befdfa833

Download Submit
\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
471KB

MD5
25892ea00e7495810a766fbe47b70c94

SHA1
6b5e9174d9416a9cf9d9df9fb427d307fb504cfa

SHA256
6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b

SHA512
b9335ce8ffcb79454b8c199b9c4e7a89b955d9f4eafa85715c183dd0ff2acec4ff881ec57811ed5ff28d284c301846515b7ab75deaa004607e998f1befdfa833

Download Submit
\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
471KB

MD5
25892ea00e7495810a766fbe47b70c94

SHA1
6b5e9174d9416a9cf9d9df9fb427d307fb504cfa

SHA256
6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b

SHA512
b9335ce8ffcb79454b8c199b9c4e7a89b955d9f4eafa85715c183dd0ff2acec4ff881ec57811ed5ff28d284c301846515b7ab75deaa004607e998f1befdfa833

Download Submit
\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
471KB

MD5
25892ea00e7495810a766fbe47b70c94

SHA1
6b5e9174d9416a9cf9d9df9fb427d307fb504cfa

SHA256
6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b

SHA512
b9335ce8ffcb79454b8c199b9c4e7a89b955d9f4eafa85715c183dd0ff2acec4ff881ec57811ed5ff28d284c301846515b7ab75deaa004607e998f1befdfa833

Download Submit
\Users\Admin\AppData\Roaming\Lawa\kernel45.dll

Filesize
10KB

MD5
28a57355d9583b66e51ad978384c159e

SHA1
b8fe4ddb6187cdee0e89c02bab4a104f406d16da

SHA256
81ed76156df0de1caae6730a091f29978493881b54a2d6fbfb43c47153b6fadd

SHA512
991a288ed0f033eb8f54e567a6264a6111f795bd61a1cd600e210730d7ed39c89e735480dc6f0e4026eafad730ae8dc23ec7bc7600a14a2ac9d652638c02ee3e

Download Submit
\Users\Admin\AppData\Roaming\Lawa\mibao.exe

Filesize
471KB

MD5
cdd316d0385ab45929829b2d9be5a818

SHA1
8d9be42f172af3882a9a5aa9c56606466d2e629c

SHA256
7099203cb07b91088425404c6ab383ccef52aeeb0e63e70e99f786811a065052

SHA512
2665f692a8517d585c84b2cdf216ee77d7e836bcb2750a0e08a0a6aeded0ca10f8c53ebdcc7f64f1f6c5fb43ce5c8096d4b73674b0b2c38d67e2ff402f9a8382

Download Submit
\Users\Admin\AppData\Roaming\Lawa\mibao.exe

Filesize
471KB

MD5
cdd316d0385ab45929829b2d9be5a818

SHA1
8d9be42f172af3882a9a5aa9c56606466d2e629c

SHA256
7099203cb07b91088425404c6ab383ccef52aeeb0e63e70e99f786811a065052

SHA512
2665f692a8517d585c84b2cdf216ee77d7e836bcb2750a0e08a0a6aeded0ca10f8c53ebdcc7f64f1f6c5fb43ce5c8096d4b73674b0b2c38d67e2ff402f9a8382

Download Submit
memory/520-102-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/520-75-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/520-73-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/520-550-0x00000000003A0000-0x00000000003DA000-memory.dmp

Filesize
232KB

Download
memory/520-402-0x00000000003A0000-0x00000000003DA000-memory.dmp

Filesize
232KB

Download
memory/520-63-0x0000000000000000-mapping.dmp

Download
memory/520-70-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/1068-107-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/1068-105-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1068-111-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/1068-99-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/1068-93-0x0000000000000000-mapping.dmp

Download
memory/1128-110-0x0000000001F50000-0x0000000001F8A000-memory.dmp

Filesize
232KB

Download
memory/1128-113-0x0000000001F50000-0x0000000001F8A000-memory.dmp

Filesize
232KB

Download
memory/1128-112-0x0000000001F50000-0x0000000001F8A000-memory.dmp

Filesize
232KB

Download
memory/1128-103-0x0000000001F50000-0x0000000001F8A000-memory.dmp

Filesize
232KB

Download
memory/1128-108-0x0000000001F50000-0x0000000001F8A000-memory.dmp

Filesize
232KB

Download
memory/1184-116-0x0000000000120000-0x000000000015A000-memory.dmp

Filesize
232KB

Download
memory/1184-119-0x0000000000120000-0x000000000015A000-memory.dmp

Filesize
232KB

Download
memory/1184-117-0x0000000000120000-0x000000000015A000-memory.dmp

Filesize
232KB

Download
memory/1184-118-0x0000000000120000-0x000000000015A000-memory.dmp

Filesize
232KB

Download
memory/1212-124-0x0000000002A10000-0x0000000002A4A000-memory.dmp

Filesize
232KB

Download
memory/1212-125-0x0000000002A10000-0x0000000002A4A000-memory.dmp

Filesize
232KB

Download
memory/1212-123-0x0000000002A10000-0x0000000002A4A000-memory.dmp

Filesize
232KB

Download
memory/1212-122-0x0000000002A10000-0x0000000002A4A000-memory.dmp

Filesize
232KB

Download
memory/1304-83-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/1304-85-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/1304-109-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1304-403-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/1304-88-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/1304-87-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/1304-86-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1304-157-0x00000000027B0000-0x00000000028CF000-memory.dmp

Filesize
1.1MB

Download
memory/1304-404-0x0000000002590000-0x00000000026AF000-memory.dmp

Filesize
1.1MB

Download
memory/1304-80-0x0000000000000000-mapping.dmp

Download
memory/1304-405-0x00000000027B0000-0x00000000028CF000-memory.dmp

Filesize
1.1MB

Download
memory/1304-413-0x00000000027B0000-0x00000000028CF000-memory.dmp

Filesize
1.1MB

Download
memory/1304-104-0x0000000002590000-0x00000000026AF000-memory.dmp

Filesize
1.1MB

Download
memory/1680-422-0x000000000006A436-mapping.dmp

Download
memory/1680-541-0x0000000000050000-0x000000000008A000-memory.dmp

Filesize
232KB

Download
memory/1680-564-0x0000000000050000-0x000000000008A000-memory.dmp

Filesize
232KB

Download
memory/2032-74-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2032-159-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-134-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-136-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-138-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-140-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-142-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-144-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-146-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-148-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-150-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-152-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-154-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-131-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-156-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-132-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-72-0x0000000002540000-0x000000000265F000-memory.dmp

Filesize
1.1MB

Download
memory/2032-71-0x0000000002540000-0x000000000265F000-memory.dmp

Filesize
1.1MB

Download
memory/2032-130-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-129-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-128-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/2032-60-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2032-76-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2032-59-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2032-77-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2032-423-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2032-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2032-55-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2032-101-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download