3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
Size

51KB
MD5

90ca9ef857133b48966dd0bf39fdca1c
SHA1

47f948dfdd4b12605a7b658d461419b4d1807446
SHA256

3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1
SHA512

1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60
SSDEEP

768:he6RKrrq1haq/b4548dWS24Pq6a4euUYSIKffx7T1wBWpZdQZur2:hZKrEh9zwlW6a4euUYSIIx7NHd5r2

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
1396	HdAudio.exe
4688	winhv.exe
3056	winhv.exe
2168	HdAudio.exe
400	HdAudio.exe
1120	winhv.exe
4980	winhv.exe
1308	HdAudio.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	HdAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winhv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cscservice.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	HdAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winhv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe"	HdAudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe"	HdAudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe"	HdAudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe"	HdAudio.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3868 set thread context of 1476	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	86
PID 4688 set thread context of 3056	4688	winhv.exe	101
PID 488 set thread context of 4652	488	cscservice.exe	106
PID 1120 set thread context of 4980	1120	winhv.exe	112

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	winhv.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	winhv.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	cscservice.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	cscservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1476	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
Token: SeDebugPrivilege	1476	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
Token: SeRestorePrivilege	3820	dw20.exe
Token: SeBackupPrivilege	3820	dw20.exe
Token: SeBackupPrivilege	3820	dw20.exe
Token: SeBackupPrivilege	3820	dw20.exe
Token: SeDebugPrivilege	1396	HdAudio.exe
Token: SeDebugPrivilege	4688	winhv.exe
Token: SeDebugPrivilege	3056	winhv.exe
Token: SeBackupPrivilege	1240	dw20.exe
Token: SeBackupPrivilege	1240	dw20.exe
Token: SeDebugPrivilege	2168	HdAudio.exe
Token: SeDebugPrivilege	488	cscservice.exe
Token: SeDebugPrivilege	4652	cscservice.exe
Token: SeBackupPrivilege	3440	dw20.exe
Token: SeBackupPrivilege	3440	dw20.exe
Token: SeDebugPrivilege	400	HdAudio.exe
Token: SeDebugPrivilege	1120	winhv.exe
Token: SeDebugPrivilege	4980	winhv.exe
Token: SeBackupPrivilege	1944	dw20.exe
Token: SeBackupPrivilege	1944	dw20.exe
Token: SeDebugPrivilege	1308	HdAudio.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 1460	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	84
PID 3868 wrote to memory of 1460	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	84
PID 3868 wrote to memory of 1460	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	84
PID 3868 wrote to memory of 1476	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	86
PID 3868 wrote to memory of 1476	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	86
PID 3868 wrote to memory of 1476	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	86
PID 3868 wrote to memory of 1476	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	86
PID 3868 wrote to memory of 1476	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	86
PID 3868 wrote to memory of 1476	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	86
PID 3868 wrote to memory of 1476	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	86
PID 3868 wrote to memory of 1476	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	86
PID 3868 wrote to memory of 1396	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	87
PID 3868 wrote to memory of 1396	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	87
PID 3868 wrote to memory of 1396	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	87
PID 1476 wrote to memory of 3820	1476	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	88
PID 1476 wrote to memory of 3820	1476	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	88
PID 1476 wrote to memory of 3820	1476	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	88
PID 1396 wrote to memory of 4688	1396	HdAudio.exe	95
PID 1396 wrote to memory of 4688	1396	HdAudio.exe	95
PID 1396 wrote to memory of 4688	1396	HdAudio.exe	95
PID 3868 wrote to memory of 488	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	98
PID 3868 wrote to memory of 488	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	98
PID 3868 wrote to memory of 488	3868	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	98
PID 4688 wrote to memory of 2984	4688	winhv.exe	99
PID 4688 wrote to memory of 2984	4688	winhv.exe	99
PID 4688 wrote to memory of 2984	4688	winhv.exe	99
PID 4688 wrote to memory of 3056	4688	winhv.exe	101
PID 4688 wrote to memory of 3056	4688	winhv.exe	101
PID 4688 wrote to memory of 3056	4688	winhv.exe	101
PID 4688 wrote to memory of 3056	4688	winhv.exe	101
PID 4688 wrote to memory of 3056	4688	winhv.exe	101
PID 4688 wrote to memory of 3056	4688	winhv.exe	101
PID 4688 wrote to memory of 3056	4688	winhv.exe	101
PID 4688 wrote to memory of 3056	4688	winhv.exe	101
PID 3056 wrote to memory of 1240	3056	winhv.exe	102
PID 3056 wrote to memory of 1240	3056	winhv.exe	102
PID 3056 wrote to memory of 1240	3056	winhv.exe	102
PID 4688 wrote to memory of 2168	4688	winhv.exe	103
PID 4688 wrote to memory of 2168	4688	winhv.exe	103
PID 4688 wrote to memory of 2168	4688	winhv.exe	103
PID 488 wrote to memory of 1996	488	cscservice.exe	104
PID 488 wrote to memory of 1996	488	cscservice.exe	104
PID 488 wrote to memory of 1996	488	cscservice.exe	104
PID 488 wrote to memory of 4652	488	cscservice.exe	106
PID 488 wrote to memory of 4652	488	cscservice.exe	106
PID 488 wrote to memory of 4652	488	cscservice.exe	106
PID 488 wrote to memory of 4652	488	cscservice.exe	106
PID 488 wrote to memory of 4652	488	cscservice.exe	106
PID 488 wrote to memory of 4652	488	cscservice.exe	106
PID 488 wrote to memory of 4652	488	cscservice.exe	106
PID 488 wrote to memory of 4652	488	cscservice.exe	106
PID 4652 wrote to memory of 3440	4652	cscservice.exe	107
PID 4652 wrote to memory of 3440	4652	cscservice.exe	107
PID 4652 wrote to memory of 3440	4652	cscservice.exe	107
PID 488 wrote to memory of 400	488	cscservice.exe	108
PID 488 wrote to memory of 400	488	cscservice.exe	108
PID 488 wrote to memory of 400	488	cscservice.exe	108
PID 400 wrote to memory of 1120	400	HdAudio.exe	109
PID 400 wrote to memory of 1120	400	HdAudio.exe	109
PID 400 wrote to memory of 1120	400	HdAudio.exe	109
PID 1120 wrote to memory of 4152	1120	winhv.exe	110
PID 1120 wrote to memory of 4152	1120	winhv.exe	110
PID 1120 wrote to memory of 4152	1120	winhv.exe	110
PID 1120 wrote to memory of 4980	1120	winhv.exe	112

C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
"C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
  2⤵
  PID:1460
- C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
  "C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1500
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3820
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
      4⤵
      PID:2984
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:2168
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
    3⤵
    PID:1996
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3440
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
        5⤵
        
        PID:4152
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HdAudio.exe.log

Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\winhv.exe.log

Filesize
411B

MD5
c3d73b66af935816305ac2ae288f36a4

SHA1
5012a926b3b822db4fb44b24e1e85c09bd90be02

SHA256
87039fa7535d10ed8d77529a8720f1d49f6f4638f28c700ed18c9353364d74e5

SHA512
958c79b6acaa5799bac691536df44f79d1c997b06a650160cc3f541f07c7dc485e9a02728231b411838d368181aa6488ac284f530de2b905b9f7725a7c06c617

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch

Filesize
426B

MD5
0cfe14dbe1b90ceda426b4635ac719a6

SHA1
8cc0a7384943d3c2b2f55df4dfeed5ae93e93b15

SHA256
91db94ffe8276e5beccdb3bb07540bcc94a7f2534df85306802e408b667ff039

SHA512
cb4f6484c749d624d1d9099858c67612b002dafb050c92fd82895041f56158472caef90b8e5bc85390712253186c583db0e7025e776b5667a1926b3e014d4cf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch

Filesize
456B

MD5
ad14efc7d4420b3c1e066bbbfb3b2e53

SHA1
c587c4008e6ec060e33bb73c4c04149aa3abb476

SHA256
e5299b0fa29814029dc5c9314960893ee0afd698aa98b5ac2a6d6c4cba1ccffa

SHA512
652cbfc705131ff860449d927cc595165ab10173c86d27319dbaf65034ab20c5f94889edaa7d4d1f54e29f4bd57a102e0174d92f1e880b25116bbc02c72226cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
12KB

MD5
296a14988b04c9aee9fa406f9d7e638e

SHA1
7d00c62bc6d39aad3f8993bf4abfabb4efacd97f

SHA256
59afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1

SHA512
3ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
12KB

MD5
296a14988b04c9aee9fa406f9d7e638e

SHA1
7d00c62bc6d39aad3f8993bf4abfabb4efacd97f

SHA256
59afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1

SHA512
3ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
12KB

MD5
296a14988b04c9aee9fa406f9d7e638e

SHA1
7d00c62bc6d39aad3f8993bf4abfabb4efacd97f

SHA256
59afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1

SHA512
3ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
12KB

MD5
296a14988b04c9aee9fa406f9d7e638e

SHA1
7d00c62bc6d39aad3f8993bf4abfabb4efacd97f

SHA256
59afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1

SHA512
3ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
12KB

MD5
296a14988b04c9aee9fa406f9d7e638e

SHA1
7d00c62bc6d39aad3f8993bf4abfabb4efacd97f

SHA256
59afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1

SHA512
3ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
12KB

MD5
296a14988b04c9aee9fa406f9d7e638e

SHA1
7d00c62bc6d39aad3f8993bf4abfabb4efacd97f

SHA256
59afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1

SHA512
3ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
12KB

MD5
296a14988b04c9aee9fa406f9d7e638e

SHA1
7d00c62bc6d39aad3f8993bf4abfabb4efacd97f

SHA256
59afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1

SHA512
3ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
12KB

MD5
296a14988b04c9aee9fa406f9d7e638e

SHA1
7d00c62bc6d39aad3f8993bf4abfabb4efacd97f

SHA256
59afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1

SHA512
3ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe

Filesize
51KB

MD5
90ca9ef857133b48966dd0bf39fdca1c

SHA1
47f948dfdd4b12605a7b658d461419b4d1807446

SHA256
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1

SHA512
1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe

Filesize
51KB

MD5
90ca9ef857133b48966dd0bf39fdca1c

SHA1
47f948dfdd4b12605a7b658d461419b4d1807446

SHA256
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1

SHA512
1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe

Filesize
51KB

MD5
90ca9ef857133b48966dd0bf39fdca1c

SHA1
47f948dfdd4b12605a7b658d461419b4d1807446

SHA256
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1

SHA512
1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe

Filesize
51KB

MD5
90ca9ef857133b48966dd0bf39fdca1c

SHA1
47f948dfdd4b12605a7b658d461419b4d1807446

SHA256
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1

SHA512
1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe

Filesize
51KB

MD5
90ca9ef857133b48966dd0bf39fdca1c

SHA1
47f948dfdd4b12605a7b658d461419b4d1807446

SHA256
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1

SHA512
1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe

Filesize
51KB

MD5
90ca9ef857133b48966dd0bf39fdca1c

SHA1
47f948dfdd4b12605a7b658d461419b4d1807446

SHA256
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1

SHA512
1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Filesize
514B

MD5
b5a1f0df16c60493b62b6f687ccd0ffa

SHA1
70866c2394781d09c2c300def9a631fce45713de

SHA256
65aadffe7d03a563d1ebc0bbe6715c947e9c11296c5e1972f5d5dfa9a0c151c6

SHA512
55a0cdd632ab96f5ef46185d039779beb1ba9f6b425c0d6bf21f800f46af115b44402e372298ba2e203b3b15ed64f8bd14e61a92edc986dcf937923176c8525c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Filesize
426B

MD5
0cfe14dbe1b90ceda426b4635ac719a6

SHA1
8cc0a7384943d3c2b2f55df4dfeed5ae93e93b15

SHA256
91db94ffe8276e5beccdb3bb07540bcc94a7f2534df85306802e408b667ff039

SHA512
cb4f6484c749d624d1d9099858c67612b002dafb050c92fd82895041f56158472caef90b8e5bc85390712253186c583db0e7025e776b5667a1926b3e014d4cf9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Filesize
456B

MD5
ad14efc7d4420b3c1e066bbbfb3b2e53

SHA1
c587c4008e6ec060e33bb73c4c04149aa3abb476

SHA256
e5299b0fa29814029dc5c9314960893ee0afd698aa98b5ac2a6d6c4cba1ccffa

SHA512
652cbfc705131ff860449d927cc595165ab10173c86d27319dbaf65034ab20c5f94889edaa7d4d1f54e29f4bd57a102e0174d92f1e880b25116bbc02c72226cb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
514B

MD5
b5a1f0df16c60493b62b6f687ccd0ffa

SHA1
70866c2394781d09c2c300def9a631fce45713de

SHA256
65aadffe7d03a563d1ebc0bbe6715c947e9c11296c5e1972f5d5dfa9a0c151c6

SHA512
55a0cdd632ab96f5ef46185d039779beb1ba9f6b425c0d6bf21f800f46af115b44402e372298ba2e203b3b15ed64f8bd14e61a92edc986dcf937923176c8525c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
426B

MD5
0cfe14dbe1b90ceda426b4635ac719a6

SHA1
8cc0a7384943d3c2b2f55df4dfeed5ae93e93b15

SHA256
91db94ffe8276e5beccdb3bb07540bcc94a7f2534df85306802e408b667ff039

SHA512
cb4f6484c749d624d1d9099858c67612b002dafb050c92fd82895041f56158472caef90b8e5bc85390712253186c583db0e7025e776b5667a1926b3e014d4cf9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
456B

MD5
ad14efc7d4420b3c1e066bbbfb3b2e53

SHA1
c587c4008e6ec060e33bb73c4c04149aa3abb476

SHA256
e5299b0fa29814029dc5c9314960893ee0afd698aa98b5ac2a6d6c4cba1ccffa

SHA512
652cbfc705131ff860449d927cc595165ab10173c86d27319dbaf65034ab20c5f94889edaa7d4d1f54e29f4bd57a102e0174d92f1e880b25116bbc02c72226cb

Download Submit
memory/400-190-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/400-188-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/400-182-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/488-191-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/488-153-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/488-167-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/1120-189-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/1120-187-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/1308-205-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/1308-206-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/1396-151-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/1396-148-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/1396-141-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/1476-140-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/1476-143-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/2168-166-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/2168-169-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/2168-168-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/3056-156-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-165-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/3868-132-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/3868-152-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/3868-133-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4652-181-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4688-147-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4688-149-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4688-170-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4980-203-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4980-204-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download