smokeloader | 40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624

Analysis

max time kernel
154s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
05-12-2022 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624.exe
Size

260KB
MD5

e11b03824a6d4a244416f62b2fb14121
SHA1

044e409510f1e3cee3d78571adf02d7f63d89053
SHA256

40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624
SHA512

6a153db22699c287a6c9705203a72fa2a3aba742488cc1a044022030f73e81068a7aa3bc07e0eef83ff015bbeeaea9f921eddea49c5400d3783ea759af8caa7a
SSDEEP

3072:L+X9zbx5D1tE5ryJi5vC66VcvtXRpGBe9K5UXE8ShTDw02rw+t5UUOW2ZeXGMh0r:6fyRy8QsX/Gr56Ph02s+8UO9e2U

Score

10^/10

smokeloader systembc backdoor trojan

Malware Config

Extracted

Family

systembc

109.205.214.18:443

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2520-140-0x00000000006E0000-0x00000000006E9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

38 4532 rundll32.exe
45 4532 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

6FC1.exe9E73.exenqgqq.exegvhvgga

pid process

4908 6FC1.exe
3396 9E73.exe
4640 nqgqq.exe
3668 gvhvgga
Deletes itself 1 IoCs

Processes:

pid process

2676

flow	pid	process
38	4532	rundll32.exe
45	4532	rundll32.exe

pid	process
4908	6FC1.exe
3396	9E73.exe
4640	nqgqq.exe
3668	gvhvgga

pid	process
2676

Suspicious use of SetThreadContext 2 IoCs

Processes:

6FC1.exerundll32.exe

description	pid	process	target process
PID 4908 set thread context of 4912	4908	6FC1.exe	rundll32.exe
PID 4912 set thread context of 2628	4912	rundll32.exe	rundll32.exe

Drops file in Windows directory 3 IoCs

Processes:

9E73.exe

description	ioc	process
File created	C:\Windows\Tasks\nqgqq.job	9E73.exe
File opened for modification	C:\Windows\Tasks\nqgqq.job	9E73.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624.exegvhvgga

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gvhvgga
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gvhvgga
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gvhvgga

Checks processor information in registry 2 TTPs 50 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6FC1.exerundll32.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	6FC1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	6FC1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	6FC1.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6FC1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	6FC1.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	6FC1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	6FC1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar

Modifies registry class 52 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000008555b06b100054656d7000003a0009000400efbe0c55a7898555b06b2e000000000000000000000000000000000000000000000000003030ea00540065006d007000000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

pid process

2676
2676

pid	process
2676
2676

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624.exe

pid	process
2520	40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624.exe
2520	40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624.exe
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2676
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624.exegvhvgga

pid process

2520 40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624.exe
3668 gvhvgga

pid	process
2676

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4912 rundll32.exe
2628 rundll32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

pid process

2676
2676
2676
2676

pid	process
4912	rundll32.exe
2628	rundll32.exe

pid	process
2676
2676
2676
2676

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

6FC1.exerundll32.exe

description	pid	process	target process
PID 2676 wrote to memory of 4908	2676		6FC1.exe
PID 2676 wrote to memory of 4908	2676		6FC1.exe
PID 2676 wrote to memory of 4908	2676		6FC1.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4532	4908	6FC1.exe	rundll32.exe
PID 2676 wrote to memory of 3396	2676		9E73.exe
PID 2676 wrote to memory of 3396	2676		9E73.exe
PID 2676 wrote to memory of 3396	2676		9E73.exe
PID 4908 wrote to memory of 4912	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4912	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4912	4908	6FC1.exe	rundll32.exe
PID 4908 wrote to memory of 4912	4908	6FC1.exe	rundll32.exe
PID 4912 wrote to memory of 2628	4912	rundll32.exe	rundll32.exe
PID 4912 wrote to memory of 2628	4912	rundll32.exe	rundll32.exe
PID 4912 wrote to memory of 2628	4912	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624.exe
"C:\Users\Admin\AppData\Local\Temp\40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2520

C:\Users\Admin\AppData\Local\Temp\6FC1.exe
C:\Users\Admin\AppData\Local\Temp\6FC1.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:4532

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14259
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2628

C:\Users\Admin\AppData\Local\Temp\9E73.exe
C:\Users\Admin\AppData\Local\Temp\9E73.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3396

C:\ProgramData\glsuqmi\nqgqq.exe
C:\ProgramData\glsuqmi\nqgqq.exe start
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3960

C:\Users\Admin\AppData\Roaming\gvhvgga
C:\Users\Admin\AppData\Roaming\gvhvgga
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\glsuqmi\nqgqq.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\ProgramData\glsuqmi\nqgqq.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FC1.exe
Filesize
841KB

MD5
c187e8adbe07b83e037b9c6d4837d310

SHA1
a04435d2c4dbad48ce86c9e18414ae9280d24adb

SHA256
3d475a2b438a34d06fb7d9451d3a7f1ce3bf3b10a8f01caa2941f9ddd5b6188f

SHA512
afe02597baca9325cca8c006188c89f048f42fbee9e664db18297c305213485d24476cede6f14928f0883e09177e2a608931fce0bde108c30820350c30e1962e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FC1.exe
Filesize
841KB

MD5
c187e8adbe07b83e037b9c6d4837d310

SHA1
a04435d2c4dbad48ce86c9e18414ae9280d24adb

SHA256
3d475a2b438a34d06fb7d9451d3a7f1ce3bf3b10a8f01caa2941f9ddd5b6188f

SHA512
afe02597baca9325cca8c006188c89f048f42fbee9e664db18297c305213485d24476cede6f14928f0883e09177e2a608931fce0bde108c30820350c30e1962e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E73.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E73.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prewodwyyerdeuy..tmp
Filesize
3.5MB

MD5
1951049d57a12b81d96e53ba69eecc2e

SHA1
7c02ee5b4c4f1de5e7955d641c0c4949a9907a22

SHA256
f904e96e8666928f318f5515400282402d1f5d4a6f05304b9e92982ef32e3ba4

SHA512
e7d4f0fd41b8cb17f3969ad094e114bff74c82d57676a23728bd232b83c36116104c1b364d896681f1b0ce0b6ecb746f47ddafbc0b5ac88801bfd599db5abe15

Download Submit
C:\Users\Admin\AppData\Roaming\gvhvgga
Filesize
260KB

MD5
e11b03824a6d4a244416f62b2fb14121

SHA1
044e409510f1e3cee3d78571adf02d7f63d89053

SHA256
40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624

SHA512
6a153db22699c287a6c9705203a72fa2a3aba742488cc1a044022030f73e81068a7aa3bc07e0eef83ff015bbeeaea9f921eddea49c5400d3783ea759af8caa7a

Download Submit
C:\Users\Admin\AppData\Roaming\gvhvgga
Filesize
260KB

MD5
e11b03824a6d4a244416f62b2fb14121

SHA1
044e409510f1e3cee3d78571adf02d7f63d89053

SHA256
40a67fc1c691f9c19fa926a1b79e069cfd8bd86ae5a9d8cea36bc4504856e624

SHA512
6a153db22699c287a6c9705203a72fa2a3aba742488cc1a044022030f73e81068a7aa3bc07e0eef83ff015bbeeaea9f921eddea49c5400d3783ea759af8caa7a

Download Submit
memory/2520-139-0x0000000000756000-0x0000000000767000-memory.dmp

Filesize
68KB

Download
memory/2520-146-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-126-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-127-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-128-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-129-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-130-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-131-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-132-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-133-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-134-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-135-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-136-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-137-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-138-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-124-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-140-0x00000000006E0000-0x00000000006E9000-memory.dmp

Filesize
36KB

Download
memory/2520-141-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2520-142-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-143-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-144-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-125-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-145-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-147-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-148-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-149-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-150-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-151-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-152-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-153-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-154-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-155-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-156-0x0000000000756000-0x0000000000767000-memory.dmp

Filesize
68KB

Download
memory/2520-157-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2520-158-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2520-121-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-123-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-122-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2520-120-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2628-543-0x000002140D960000-0x000002140DC13000-memory.dmp

Filesize
2.7MB

Download
memory/2628-542-0x00000000006F0000-0x0000000000991000-memory.dmp

Filesize
2.6MB

Download
memory/2628-535-0x00007FF6297D5FD0-mapping.dmp

Download
memory/3396-336-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/3396-374-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/3396-599-0x00000000005DA000-0x00000000005EB000-memory.dmp

Filesize
68KB

Download
memory/3396-281-0x0000000000000000-mapping.dmp

Download
memory/3396-334-0x00000000005DA000-0x00000000005EB000-memory.dmp

Filesize
68KB

Download
memory/3396-350-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3396-373-0x00000000005DA000-0x00000000005EB000-memory.dmp

Filesize
68KB

Download
memory/3668-597-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3668-596-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download
memory/3668-598-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4532-210-0x0000000000000000-mapping.dmp

Download
memory/4640-528-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4640-527-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/4640-559-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/4908-188-0x0000000002290000-0x0000000002385000-memory.dmp

Filesize
980KB

Download
memory/4908-181-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-189-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4908-191-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-190-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-192-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-193-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-194-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-195-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-196-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-185-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-187-0x0000000002120000-0x00000000021CF000-memory.dmp

Filesize
700KB

Download
memory/4908-186-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-171-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-170-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-332-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4908-184-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-169-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-183-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-167-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-182-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-172-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-376-0x0000000005BE0000-0x0000000006739000-memory.dmp

Filesize
11.3MB

Download
memory/4908-173-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-175-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-176-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-166-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-165-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-180-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-179-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-164-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-163-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-162-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-546-0x0000000005BE0000-0x0000000006739000-memory.dmp

Filesize
11.3MB

Download
memory/4908-174-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-159-0x0000000000000000-mapping.dmp

Download
memory/4908-558-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4908-178-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4908-161-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4912-554-0x0000000004F90000-0x0000000005AE9000-memory.dmp

Filesize
11.3MB

Download
memory/4912-552-0x0000000002C00000-0x0000000003639000-memory.dmp

Filesize
10.2MB

Download
memory/4912-458-0x0000000004F90000-0x0000000005AE9000-memory.dmp

Filesize
11.3MB

Download
memory/4912-440-0x0000000002C00000-0x0000000003639000-memory.dmp

Filesize
10.2MB

Download
memory/4912-389-0x0000000000865FB0-mapping.dmp

Download