7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6

Analysis

max time kernel
189s
max time network
194s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe
Size

592KB
MD5

95d09778f050d8bcc5805b4c56200d55
SHA1

8dac4eb7d51df65fd6ac81dd1e906c674b363d95
SHA256

7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6
SHA512

0c41173e611725249f611fb362668d5cc64cc4a24c3ff4d32fde88f9784896c449d1939a46c9b9fcd9365b8942085dc7f807392207c0da5ed45a8f69174a8d54
SSDEEP

12288:zK2mhAMJ/cPl+vnGEhP4ltXEv/lL6TC84wzFYA/dEJf8uYHIA8lsT:22O/Gl+vnbpIElL4NFYJp8uY7oS

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Executes dropped EXE 7 IoCs

pid	Process
840	tashfer.exe
2040	tashferkraw.exe
1580	explorerx.exe
2000	Server.exe
1704	explorer.exe
868	Trojan.exe
1540	explorer.exe

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1640	netsh.exe
1536	netsh.exe
972	netsh.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94a40d183a1e5b33be1cb7d99b0c9e16.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94a40d183a1e5b33be1cb7d99b0c9e16.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe

Loads dropped DLL 11 IoCs

pid	Process
840	tashfer.exe
840	tashfer.exe
840	tashfer.exe
840	tashfer.exe
840	tashfer.exe
2040	tashferkraw.exe
2040	tashferkraw.exe
2040	tashferkraw.exe
2000	Server.exe
1704	explorer.exe
1704	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\94a40d183a1e5b33be1cb7d99b0c9e16 = "\"C:\\ProgramData\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\94a40d183a1e5b33be1cb7d99b0c9e16 = "\"C:\\ProgramData\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?8?\CLSID\ = "{6DA50995-EE84-33F6-9976-DDD1B2245EBB}"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\0.0.0.0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\Implemented Categories	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32\0.0.0.0\CodeBase = "file:///C:/ProgramData/explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32\RuntimeVersion = "v2.0.50727"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32\CodeBase = "file:///C:/ProgramData/explorer.exe"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?8?\CLSID	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\?112?\ = "?112?"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\0.0.0.0\Assembly = "uxhdlbrdhih, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\0.0.0.0\RuntimeVersion = "v2.0.50727"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\ProgId	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32\Assembly = "uxhdlbrdhih, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\Implemented Categories	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\ThreadingModel = "Both"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\Assembly = "uxhdlbrdhih, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\0.0.0.0\Class = "?1?.?8?"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\ProgId\ = "?112?"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?8?	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\ProgId	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\ = "?112?"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\CodeBase = "file:///C:/ProgramData/explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\0.0.0.0\Class = "?112?"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\ProgId	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\?112?	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?8?	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\0.0.0.0	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\0.0.0.0\CodeBase = "file:///C:/ProgramData/explorer.exe"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?1?	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?8?\ = "?1?.?8?"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?1?\CLSID	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\Implemented Categories	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32\0.0.0.0\RuntimeVersion = "v2.0.50727"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\ThreadingModel = "Both"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\ProgId\ = "?1?.?8?"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}\0 = ".NET Category"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\0.0.0.0	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\0.0.0.0	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\0.0.0.0\Assembly = "uxhdlbrdhih, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\ProgId\ = "?1?.?1?"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\Class = "?112?"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32\ThreadingModel = "Both"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\?112?	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\?112?\CLSID\ = "{2BC307E3-AE2B-3074-862A-9A20FC57029E}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\RuntimeVersion = "v2.0.50727"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\0.0.0.0\RuntimeVersion = "v2.0.50727"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\ProgId	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\ = "?1?.?1?"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32\0.0.0.0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\?112?\CLSID	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
868	Trojan.exe
868	Trojan.exe
868	Trojan.exe
868	Trojan.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	840	tashfer.exe
Token: SeRestorePrivilege	840	tashfer.exe
Token: SeDebugPrivilege	2040	tashferkraw.exe
Token: SeDebugPrivilege	868	Trojan.exe
Token: SeDebugPrivilege	1540	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1540	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 840	1932	7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe	27
PID 1932 wrote to memory of 840	1932	7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe	27
PID 1932 wrote to memory of 840	1932	7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe	27
PID 1932 wrote to memory of 840	1932	7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe	27
PID 1932 wrote to memory of 840	1932	7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe	27
PID 1932 wrote to memory of 840	1932	7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe	27
PID 1932 wrote to memory of 840	1932	7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe	27
PID 840 wrote to memory of 2040	840	tashfer.exe	28
PID 840 wrote to memory of 2040	840	tashfer.exe	28
PID 840 wrote to memory of 2040	840	tashfer.exe	28
PID 840 wrote to memory of 2040	840	tashfer.exe	28
PID 840 wrote to memory of 2040	840	tashfer.exe	28
PID 840 wrote to memory of 2040	840	tashfer.exe	28
PID 840 wrote to memory of 2040	840	tashfer.exe	28
PID 2040 wrote to memory of 1580	2040	tashferkraw.exe	29
PID 2040 wrote to memory of 1580	2040	tashferkraw.exe	29
PID 2040 wrote to memory of 1580	2040	tashferkraw.exe	29
PID 2040 wrote to memory of 1580	2040	tashferkraw.exe	29
PID 2040 wrote to memory of 2000	2040	tashferkraw.exe	30
PID 2040 wrote to memory of 2000	2040	tashferkraw.exe	30
PID 2040 wrote to memory of 2000	2040	tashferkraw.exe	30
PID 2040 wrote to memory of 2000	2040	tashferkraw.exe	30
PID 2040 wrote to memory of 2000	2040	tashferkraw.exe	30
PID 2040 wrote to memory of 2000	2040	tashferkraw.exe	30
PID 2040 wrote to memory of 2000	2040	tashferkraw.exe	30
PID 1580 wrote to memory of 1704	1580	explorerx.exe	31
PID 1580 wrote to memory of 1704	1580	explorerx.exe	31
PID 1580 wrote to memory of 1704	1580	explorerx.exe	31
PID 1580 wrote to memory of 1704	1580	explorerx.exe	31
PID 1580 wrote to memory of 1704	1580	explorerx.exe	31
PID 1580 wrote to memory of 1704	1580	explorerx.exe	31
PID 1580 wrote to memory of 1704	1580	explorerx.exe	31
PID 2000 wrote to memory of 868	2000	Server.exe	32
PID 2000 wrote to memory of 868	2000	Server.exe	32
PID 2000 wrote to memory of 868	2000	Server.exe	32
PID 2000 wrote to memory of 868	2000	Server.exe	32
PID 2000 wrote to memory of 868	2000	Server.exe	32
PID 2000 wrote to memory of 868	2000	Server.exe	32
PID 2000 wrote to memory of 868	2000	Server.exe	32
PID 1704 wrote to memory of 1540	1704	explorer.exe	39
PID 1704 wrote to memory of 1540	1704	explorer.exe	39
PID 1704 wrote to memory of 1540	1704	explorer.exe	39
PID 1704 wrote to memory of 1540	1704	explorer.exe	39
PID 1704 wrote to memory of 1540	1704	explorer.exe	39
PID 1704 wrote to memory of 1540	1704	explorer.exe	39
PID 1704 wrote to memory of 1540	1704	explorer.exe	39
PID 868 wrote to memory of 1640	868	Trojan.exe	33
PID 868 wrote to memory of 1640	868	Trojan.exe	33
PID 868 wrote to memory of 1640	868	Trojan.exe	33
PID 868 wrote to memory of 1640	868	Trojan.exe	33
PID 868 wrote to memory of 1640	868	Trojan.exe	33
PID 868 wrote to memory of 1640	868	Trojan.exe	33
PID 868 wrote to memory of 1640	868	Trojan.exe	33
PID 1540 wrote to memory of 1536	1540	explorer.exe	35
PID 1540 wrote to memory of 1536	1540	explorer.exe	35
PID 1540 wrote to memory of 1536	1540	explorer.exe	35
PID 1540 wrote to memory of 1536	1540	explorer.exe	35
PID 1540 wrote to memory of 1536	1540	explorer.exe	35
PID 1540 wrote to memory of 1536	1540	explorer.exe	35
PID 1540 wrote to memory of 1536	1540	explorer.exe	35
PID 1540 wrote to memory of 972	1540	explorer.exe	36
PID 1540 wrote to memory of 972	1540	explorer.exe	36
PID 1540 wrote to memory of 972	1540	explorer.exe	36
PID 1540 wrote to memory of 972	1540	explorer.exe	36

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

C:\Users\Admin\AppData\Local\Temp\7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe
"C:\Users\Admin\AppData\Local\Temp\7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\tashfer.exe
  "C:\Users\Admin\AppData\Local\Temp\tashfer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\tashferkraw.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\tashferkraw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\explorerx.exe
      "C:\Users\Admin\AppData\Local\Temp\explorerx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1704
      - C:\ProgramData\explorer.exe
        
        "C:\ProgramData\explorer.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1540
        
        C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\SysWOW64\wscript.exe" "C:\ProgramData\explorer.vbe"
        7⤵
        
        PID:568
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
        5⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:1640

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\ProgramData\explorer.exe" "explorer.exe" ENABLE
1⤵
- Modifies Windows Firewall
PID:1536

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\SysWOW64\wscript.exe" "wscript.exe" ENABLE
1⤵
- Modifies Windows Firewall
PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\explorer.exe

Filesize
250KB

MD5
9c52b1d644fbd3d76716c9c3dee3d42c

SHA1
9a7e41669f88d46d2382116698da4faed9a83942

SHA256
dc6013f6a886595a5f3f12f978f968e19be14bac2cca587ad7b6c17aecc98091

SHA512
0c2d285040627284dca6ba45acf70d0a392e428770b2bc9e39ad1df06ba097dd7820626850fe4dcf6fcd8348bb840431716373b70d4221c5d9c0eab701bf6a43

Download Submit
C:\ProgramData\explorer.exe

Filesize
250KB

MD5
9c52b1d644fbd3d76716c9c3dee3d42c

SHA1
9a7e41669f88d46d2382116698da4faed9a83942

SHA256
dc6013f6a886595a5f3f12f978f968e19be14bac2cca587ad7b6c17aecc98091

SHA512
0c2d285040627284dca6ba45acf70d0a392e428770b2bc9e39ad1df06ba097dd7820626850fe4dcf6fcd8348bb840431716373b70d4221c5d9c0eab701bf6a43

Download Submit
C:\ProgramData\explorer.vbe

Filesize
54B

MD5
3e2daf38e0ae3e4cb752ba07e317ab8a

SHA1
403119ccb6060f1663057c0ee723d669090f227d

SHA256
368663c0c1ad3ea27349893d950a8f851260fd5cf5b8ad796f801afb513167e1

SHA512
284ba94b51771ffb8e1636e00968f8b5d217b5f6dc66ab2ed7c4394cf920f174a6cc5375da497270b13738f8a4efdc1f75a319dbc7dc7fd7850eb86ef937587b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tashferkraw.exe

Filesize
353KB

MD5
c3aa4d3d7ad17e5aa878b2843ba5b678

SHA1
b7dd472080977433b6c19f49ddc169015a9338ba

SHA256
ac46ac55dbff390438d38b766775cc6be7e24787c7a077037ed0e82d68f758bf

SHA512
d4dbc272d26fe07119df7bd3b25057bde1cd66c2208634040ba4ec454cb9a5c565a1006538790cf99f71853f4407b1fd5f395af3086ef2d466b3c64196f1eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tashferkraw.exe

Filesize
353KB

MD5
c3aa4d3d7ad17e5aa878b2843ba5b678

SHA1
b7dd472080977433b6c19f49ddc169015a9338ba

SHA256
ac46ac55dbff390438d38b766775cc6be7e24787c7a077037ed0e82d68f758bf

SHA512
d4dbc272d26fe07119df7bd3b25057bde1cd66c2208634040ba4ec454cb9a5c565a1006538790cf99f71853f4407b1fd5f395af3086ef2d466b3c64196f1eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
26KB

MD5
e75115f6d21f2e9fb32b99581fa78c72

SHA1
ced1632142bb27e10d711b788a042e4f0e76a0d7

SHA256
968d1be7df46e4859bf69f00d6f6c633cd8b8cd43ec3bdfd60c137868db8d24d

SHA512
4ec9f10bd07a92f261f1533234a7c34082656592bd8c5724faa6380055f67e8992a599fcb155522c8f1515f71e380756ccfc44889f44dcb819f9928d65f89171

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
26KB

MD5
e75115f6d21f2e9fb32b99581fa78c72

SHA1
ced1632142bb27e10d711b788a042e4f0e76a0d7

SHA256
968d1be7df46e4859bf69f00d6f6c633cd8b8cd43ec3bdfd60c137868db8d24d

SHA512
4ec9f10bd07a92f261f1533234a7c34082656592bd8c5724faa6380055f67e8992a599fcb155522c8f1515f71e380756ccfc44889f44dcb819f9928d65f89171

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
26KB

MD5
e75115f6d21f2e9fb32b99581fa78c72

SHA1
ced1632142bb27e10d711b788a042e4f0e76a0d7

SHA256
968d1be7df46e4859bf69f00d6f6c633cd8b8cd43ec3bdfd60c137868db8d24d

SHA512
4ec9f10bd07a92f261f1533234a7c34082656592bd8c5724faa6380055f67e8992a599fcb155522c8f1515f71e380756ccfc44889f44dcb819f9928d65f89171

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
26KB

MD5
e75115f6d21f2e9fb32b99581fa78c72

SHA1
ced1632142bb27e10d711b788a042e4f0e76a0d7

SHA256
968d1be7df46e4859bf69f00d6f6c633cd8b8cd43ec3bdfd60c137868db8d24d

SHA512
4ec9f10bd07a92f261f1533234a7c34082656592bd8c5724faa6380055f67e8992a599fcb155522c8f1515f71e380756ccfc44889f44dcb819f9928d65f89171

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
250KB

MD5
9c52b1d644fbd3d76716c9c3dee3d42c

SHA1
9a7e41669f88d46d2382116698da4faed9a83942

SHA256
dc6013f6a886595a5f3f12f978f968e19be14bac2cca587ad7b6c17aecc98091

SHA512
0c2d285040627284dca6ba45acf70d0a392e428770b2bc9e39ad1df06ba097dd7820626850fe4dcf6fcd8348bb840431716373b70d4221c5d9c0eab701bf6a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
250KB

MD5
9c52b1d644fbd3d76716c9c3dee3d42c

SHA1
9a7e41669f88d46d2382116698da4faed9a83942

SHA256
dc6013f6a886595a5f3f12f978f968e19be14bac2cca587ad7b6c17aecc98091

SHA512
0c2d285040627284dca6ba45acf70d0a392e428770b2bc9e39ad1df06ba097dd7820626850fe4dcf6fcd8348bb840431716373b70d4221c5d9c0eab701bf6a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorerx.exe

Filesize
268KB

MD5
96ceea2acd93638d4cec8c36508f922c

SHA1
451526952b16dc0ff2797b74fa58619b88b1db11

SHA256
08c952c3ba627104a0068d45d2f79cd9a2d91c199038d41080c8028548edb2b5

SHA512
76e124ab3249d49762b0ddc3e5d30aaa921ad76914716b1be9749628d16ef3a823ae305873813e11c6949b8c0ab6de59f9f675c3bcadaed87b559e532bcd18e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorerx.exe

Filesize
268KB

MD5
96ceea2acd93638d4cec8c36508f922c

SHA1
451526952b16dc0ff2797b74fa58619b88b1db11

SHA256
08c952c3ba627104a0068d45d2f79cd9a2d91c199038d41080c8028548edb2b5

SHA512
76e124ab3249d49762b0ddc3e5d30aaa921ad76914716b1be9749628d16ef3a823ae305873813e11c6949b8c0ab6de59f9f675c3bcadaed87b559e532bcd18e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tashfer.exe

Filesize
573KB

MD5
1fd3abc9e4234338b2a6b1ed301eb7de

SHA1
3057d24befa9d9408226f7ef16aeed3d935e5913

SHA256
87a7fa8dfd05f190e051f62c52005d14c4b4073f5ea7510d250dc8554955c28d

SHA512
d1c93ff0d9b2e5903f0606a276edd2d9d003ffb5771f15fd3953a016a6b8423631e39a1e6a932ac686b0300ace94697c3d2177e6fd57f8fb8f4459fb9dad662e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tashfer.exe

Filesize
573KB

MD5
1fd3abc9e4234338b2a6b1ed301eb7de

SHA1
3057d24befa9d9408226f7ef16aeed3d935e5913

SHA256
87a7fa8dfd05f190e051f62c52005d14c4b4073f5ea7510d250dc8554955c28d

SHA512
d1c93ff0d9b2e5903f0606a276edd2d9d003ffb5771f15fd3953a016a6b8423631e39a1e6a932ac686b0300ace94697c3d2177e6fd57f8fb8f4459fb9dad662e

Download Submit
\ProgramData\explorer.exe

Filesize
250KB

MD5
9c52b1d644fbd3d76716c9c3dee3d42c

SHA1
9a7e41669f88d46d2382116698da4faed9a83942

SHA256
dc6013f6a886595a5f3f12f978f968e19be14bac2cca587ad7b6c17aecc98091

SHA512
0c2d285040627284dca6ba45acf70d0a392e428770b2bc9e39ad1df06ba097dd7820626850fe4dcf6fcd8348bb840431716373b70d4221c5d9c0eab701bf6a43

Download Submit
\ProgramData\explorer.exe

Filesize
250KB

MD5
9c52b1d644fbd3d76716c9c3dee3d42c

SHA1
9a7e41669f88d46d2382116698da4faed9a83942

SHA256
dc6013f6a886595a5f3f12f978f968e19be14bac2cca587ad7b6c17aecc98091

SHA512
0c2d285040627284dca6ba45acf70d0a392e428770b2bc9e39ad1df06ba097dd7820626850fe4dcf6fcd8348bb840431716373b70d4221c5d9c0eab701bf6a43

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\tashferkraw.exe

Filesize
353KB

MD5
c3aa4d3d7ad17e5aa878b2843ba5b678

SHA1
b7dd472080977433b6c19f49ddc169015a9338ba

SHA256
ac46ac55dbff390438d38b766775cc6be7e24787c7a077037ed0e82d68f758bf

SHA512
d4dbc272d26fe07119df7bd3b25057bde1cd66c2208634040ba4ec454cb9a5c565a1006538790cf99f71853f4407b1fd5f395af3086ef2d466b3c64196f1eb92

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\tashferkraw.exe

Filesize
353KB

MD5
c3aa4d3d7ad17e5aa878b2843ba5b678

SHA1
b7dd472080977433b6c19f49ddc169015a9338ba

SHA256
ac46ac55dbff390438d38b766775cc6be7e24787c7a077037ed0e82d68f758bf

SHA512
d4dbc272d26fe07119df7bd3b25057bde1cd66c2208634040ba4ec454cb9a5c565a1006538790cf99f71853f4407b1fd5f395af3086ef2d466b3c64196f1eb92

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\tashferkraw.exe

Filesize
353KB

MD5
c3aa4d3d7ad17e5aa878b2843ba5b678

SHA1
b7dd472080977433b6c19f49ddc169015a9338ba

SHA256
ac46ac55dbff390438d38b766775cc6be7e24787c7a077037ed0e82d68f758bf

SHA512
d4dbc272d26fe07119df7bd3b25057bde1cd66c2208634040ba4ec454cb9a5c565a1006538790cf99f71853f4407b1fd5f395af3086ef2d466b3c64196f1eb92

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\tashferkraw.exe

Filesize
353KB

MD5
c3aa4d3d7ad17e5aa878b2843ba5b678

SHA1
b7dd472080977433b6c19f49ddc169015a9338ba

SHA256
ac46ac55dbff390438d38b766775cc6be7e24787c7a077037ed0e82d68f758bf

SHA512
d4dbc272d26fe07119df7bd3b25057bde1cd66c2208634040ba4ec454cb9a5c565a1006538790cf99f71853f4407b1fd5f395af3086ef2d466b3c64196f1eb92

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\tashferkraw.exe

Filesize
353KB

MD5
c3aa4d3d7ad17e5aa878b2843ba5b678

SHA1
b7dd472080977433b6c19f49ddc169015a9338ba

SHA256
ac46ac55dbff390438d38b766775cc6be7e24787c7a077037ed0e82d68f758bf

SHA512
d4dbc272d26fe07119df7bd3b25057bde1cd66c2208634040ba4ec454cb9a5c565a1006538790cf99f71853f4407b1fd5f395af3086ef2d466b3c64196f1eb92

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
26KB

MD5
e75115f6d21f2e9fb32b99581fa78c72

SHA1
ced1632142bb27e10d711b788a042e4f0e76a0d7

SHA256
968d1be7df46e4859bf69f00d6f6c633cd8b8cd43ec3bdfd60c137868db8d24d

SHA512
4ec9f10bd07a92f261f1533234a7c34082656592bd8c5724faa6380055f67e8992a599fcb155522c8f1515f71e380756ccfc44889f44dcb819f9928d65f89171

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
26KB

MD5
e75115f6d21f2e9fb32b99581fa78c72

SHA1
ced1632142bb27e10d711b788a042e4f0e76a0d7

SHA256
968d1be7df46e4859bf69f00d6f6c633cd8b8cd43ec3bdfd60c137868db8d24d

SHA512
4ec9f10bd07a92f261f1533234a7c34082656592bd8c5724faa6380055f67e8992a599fcb155522c8f1515f71e380756ccfc44889f44dcb819f9928d65f89171

Download Submit
\Users\Admin\AppData\Local\Temp\explorerx.exe

Filesize
268KB

MD5
96ceea2acd93638d4cec8c36508f922c

SHA1
451526952b16dc0ff2797b74fa58619b88b1db11

SHA256
08c952c3ba627104a0068d45d2f79cd9a2d91c199038d41080c8028548edb2b5

SHA512
76e124ab3249d49762b0ddc3e5d30aaa921ad76914716b1be9749628d16ef3a823ae305873813e11c6949b8c0ab6de59f9f675c3bcadaed87b559e532bcd18e6

Download Submit
\Users\Admin\AppData\Local\Temp\explorerx.exe

Filesize
268KB

MD5
96ceea2acd93638d4cec8c36508f922c

SHA1
451526952b16dc0ff2797b74fa58619b88b1db11

SHA256
08c952c3ba627104a0068d45d2f79cd9a2d91c199038d41080c8028548edb2b5

SHA512
76e124ab3249d49762b0ddc3e5d30aaa921ad76914716b1be9749628d16ef3a823ae305873813e11c6949b8c0ab6de59f9f675c3bcadaed87b559e532bcd18e6

Download Submit
memory/840-58-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/868-230-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/868-225-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/1540-223-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/1540-229-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-217-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-54-0x000007FEF4940000-0x000007FEF5363000-memory.dmp

Filesize
10.1MB

Download
memory/1932-55-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download
memory/2000-212-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-78-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-187-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-88-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-98-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-106-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-122-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-128-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-126-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-124-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-120-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-118-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-116-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-114-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-112-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-110-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-108-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-104-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-102-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-100-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-96-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-94-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-92-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-90-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-86-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-82-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-84-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-80-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-76-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-74-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-224-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-72-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-70-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2040-69-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download