chinese_generic_botnet | 1c78dfb017659c303502c97118fa9d2a6d8dcd02024350219a8ac4c4342dbbe4

Analysis

max time kernel
95s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.5MB
MD5

90ec6306c82c23bc93301410e61d2461
SHA1

e50b0625f4ec6598516c0a5e98bbc2d6dd0aa327
SHA256

1c78dfb017659c303502c97118fa9d2a6d8dcd02024350219a8ac4c4342dbbe4
SHA512

e13a680612ebc84081e91716188230dd050e3e28dfd206d2236cd4d9c48bf9ccb00294a133f31f2837f1f85fe1e16a95e8f2801e6fa5b9558cf233cac39c88a4
SSDEEP

24576:FgChBvFvfSyOllGZ2O/F77tBPHGztHGxzgSJUypu4tHqZIYdAuE8kNZTdYjW:FgIvFCHHGPHGN0gqQwxY+V1iS

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

Processes:

resource	yara_rule
behavioral2/memory/4076-2367-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet
behavioral2/memory/5032-2401-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

._cache_tmp.exeSynaptics.execomputer.exe._cache_computer.exeSynaptics.exeServer_se.exe._cache_Server_se.exeSynaptics.exe._cache_Synaptics.execomputer.exe._cache_computer.exe._cache_Synaptics.execomputer.exe._cache_computer.exe._cache_Synaptics.exe

pid	process
4076	._cache_tmp.exe
1416	Synaptics.exe
2712	computer.exe
5032	._cache_computer.exe
4584	Synaptics.exe
1828	Server_se.exe
2500	._cache_Server_se.exe
1812	Synaptics.exe
4520	._cache_Synaptics.exe
2536	computer.exe
4132	._cache_computer.exe
4932	._cache_Synaptics.exe
4672	computer.exe
3848	._cache_computer.exe
2220	._cache_Synaptics.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exe._cache_tmp.execomputer.exeSynaptics.exe._cache_Synaptics.exeSynaptics.exe._cache_Synaptics.exeServer_se.execomputer.execomputer.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	._cache_tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	computer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Server_se.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	computer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	computer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Loads dropped DLL 8 IoCs

Processes:

computer.exeSynaptics.execomputer.exeSynaptics.exe

pid process

2536 computer.exe
2536 computer.exe
4584 Synaptics.exe
4584 Synaptics.exe
4672 computer.exe
4672 computer.exe
1812 Synaptics.exe
1812 Synaptics.exe

pid	process
2536	computer.exe
2536	computer.exe
4584	Synaptics.exe
4584	Synaptics.exe
4672	computer.exe
4672	computer.exe
1812	Synaptics.exe
1812	Synaptics.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Server_se.exe._cache_computer.exe._cache_computer.exe._cache_Synaptics.exetmp.execomputer.exe._cache_tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Server_se.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Imsossm.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_computer.exe"	._cache_computer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Imsossm.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_computer.exe"	._cache_computer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mcegqgc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	computer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mcegqgc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_tmp.exe"	._cache_tmp.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

._cache_tmp.exe._cache_computer.exe

description	ioc	process
File opened (read-only)	\??\E:	._cache_tmp.exe
File opened (read-only)	\??\N:	._cache_tmp.exe
File opened (read-only)	\??\R:	._cache_tmp.exe
File opened (read-only)	\??\T:	._cache_tmp.exe
File opened (read-only)	\??\E:	._cache_computer.exe
File opened (read-only)	\??\K:	._cache_computer.exe
File opened (read-only)	\??\U:	._cache_computer.exe
File opened (read-only)	\??\B:	._cache_tmp.exe
File opened (read-only)	\??\O:	._cache_tmp.exe
File opened (read-only)	\??\S:	._cache_tmp.exe
File opened (read-only)	\??\V:	._cache_tmp.exe
File opened (read-only)	\??\X:	._cache_tmp.exe
File opened (read-only)	\??\B:	._cache_computer.exe
File opened (read-only)	\??\Q:	._cache_computer.exe
File opened (read-only)	\??\S:	._cache_computer.exe
File opened (read-only)	\??\L:	._cache_tmp.exe
File opened (read-only)	\??\U:	._cache_tmp.exe
File opened (read-only)	\??\J:	._cache_computer.exe
File opened (read-only)	\??\Q:	._cache_tmp.exe
File opened (read-only)	\??\H:	._cache_tmp.exe
File opened (read-only)	\??\M:	._cache_computer.exe
File opened (read-only)	\??\P:	._cache_computer.exe
File opened (read-only)	\??\R:	._cache_computer.exe
File opened (read-only)	\??\T:	._cache_computer.exe
File opened (read-only)	\??\W:	._cache_computer.exe
File opened (read-only)	\??\Y:	._cache_tmp.exe
File opened (read-only)	\??\J:	._cache_tmp.exe
File opened (read-only)	\??\M:	._cache_tmp.exe
File opened (read-only)	\??\P:	._cache_tmp.exe
File opened (read-only)	\??\W:	._cache_tmp.exe
File opened (read-only)	\??\I:	._cache_computer.exe
File opened (read-only)	\??\L:	._cache_computer.exe
File opened (read-only)	\??\V:	._cache_computer.exe
File opened (read-only)	\??\F:	._cache_tmp.exe
File opened (read-only)	\??\Z:	._cache_computer.exe
File opened (read-only)	\??\G:	._cache_computer.exe
File opened (read-only)	\??\I:	._cache_tmp.exe
File opened (read-only)	\??\K:	._cache_tmp.exe
File opened (read-only)	\??\Z:	._cache_tmp.exe
File opened (read-only)	\??\F:	._cache_computer.exe
File opened (read-only)	\??\H:	._cache_computer.exe
File opened (read-only)	\??\N:	._cache_computer.exe
File opened (read-only)	\??\O:	._cache_computer.exe
File opened (read-only)	\??\G:	._cache_tmp.exe
File opened (read-only)	\??\Y:	._cache_computer.exe
File opened (read-only)	\??\X:	._cache_computer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

Processes:

tmp.exeSynaptics.exeSynaptics.exeSynaptics.exe

pid	process
2000	tmp.exe
2000	tmp.exe
1416	Synaptics.exe
1416	Synaptics.exe
1416	Synaptics.exe
1416	Synaptics.exe
1416	Synaptics.exe
1416	Synaptics.exe
1416	Synaptics.exe
1416	Synaptics.exe
1416	Synaptics.exe
1416	Synaptics.exe
1416	Synaptics.exe
4584	Synaptics.exe
4584	Synaptics.exe
1416	Synaptics.exe
4584	Synaptics.exe
1416	Synaptics.exe
1812	Synaptics.exe
1812	Synaptics.exe
4584	Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3588 2500 WerFault.exe ._cache_Server_se.exe

pid	pid_target	process	target process
3588	2500	WerFault.exe	._cache_Server_se.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_computer.exe._cache_tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_computer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_computer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_tmp.exe

Modifies registry class 8 IoCs

Processes:

Synaptics.execomputer.exeSynaptics.execomputer.exeSynaptics.exetmp.execomputer.exeServer_se.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	computer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	computer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	computer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Server_se.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

._cache_tmp.exe._cache_computer.exe

pid process

4076 ._cache_tmp.exe
4076 ._cache_tmp.exe
5032 ._cache_computer.exe
5032 ._cache_computer.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

tmp.exe._cache_tmp.execomputer.exeServer_se.exeSynaptics.exe._cache_Synaptics.execomputer.exeSynaptics.exe._cache_Synaptics.execomputer.exeSynaptics.exe._cache_Synaptics.exe

description	pid	process	target process
PID 2000 wrote to memory of 4076	2000	tmp.exe	._cache_tmp.exe
PID 2000 wrote to memory of 4076	2000	tmp.exe	._cache_tmp.exe
PID 2000 wrote to memory of 4076	2000	tmp.exe	._cache_tmp.exe
PID 4076 wrote to memory of 4380	4076	._cache_tmp.exe	cmd.exe
PID 4076 wrote to memory of 4380	4076	._cache_tmp.exe	cmd.exe
PID 4076 wrote to memory of 4380	4076	._cache_tmp.exe	cmd.exe
PID 2000 wrote to memory of 1416	2000	tmp.exe	Synaptics.exe
PID 2000 wrote to memory of 1416	2000	tmp.exe	Synaptics.exe
PID 2000 wrote to memory of 1416	2000	tmp.exe	Synaptics.exe
PID 4076 wrote to memory of 2712	4076	._cache_tmp.exe	computer.exe
PID 4076 wrote to memory of 2712	4076	._cache_tmp.exe	computer.exe
PID 4076 wrote to memory of 2712	4076	._cache_tmp.exe	computer.exe
PID 2712 wrote to memory of 5032	2712	computer.exe	._cache_computer.exe
PID 2712 wrote to memory of 5032	2712	computer.exe	._cache_computer.exe
PID 2712 wrote to memory of 5032	2712	computer.exe	._cache_computer.exe
PID 2712 wrote to memory of 4584	2712	computer.exe	Synaptics.exe
PID 2712 wrote to memory of 4584	2712	computer.exe	Synaptics.exe
PID 2712 wrote to memory of 4584	2712	computer.exe	Synaptics.exe
PID 4076 wrote to memory of 1828	4076	._cache_tmp.exe	Server_se.exe
PID 4076 wrote to memory of 1828	4076	._cache_tmp.exe	Server_se.exe
PID 4076 wrote to memory of 1828	4076	._cache_tmp.exe	Server_se.exe
PID 1828 wrote to memory of 2500	1828	Server_se.exe	._cache_Server_se.exe
PID 1828 wrote to memory of 2500	1828	Server_se.exe	._cache_Server_se.exe
PID 1828 wrote to memory of 2500	1828	Server_se.exe	._cache_Server_se.exe
PID 1828 wrote to memory of 1812	1828	Server_se.exe	Synaptics.exe
PID 1828 wrote to memory of 1812	1828	Server_se.exe	Synaptics.exe
PID 1828 wrote to memory of 1812	1828	Server_se.exe	Synaptics.exe
PID 1416 wrote to memory of 4520	1416	Synaptics.exe	._cache_Synaptics.exe
PID 1416 wrote to memory of 4520	1416	Synaptics.exe	._cache_Synaptics.exe
PID 1416 wrote to memory of 4520	1416	Synaptics.exe	._cache_Synaptics.exe
PID 4520 wrote to memory of 5112	4520	._cache_Synaptics.exe	cmd.exe
PID 4520 wrote to memory of 5112	4520	._cache_Synaptics.exe	cmd.exe
PID 4520 wrote to memory of 5112	4520	._cache_Synaptics.exe	cmd.exe
PID 4520 wrote to memory of 2536	4520	._cache_Synaptics.exe	computer.exe
PID 4520 wrote to memory of 2536	4520	._cache_Synaptics.exe	computer.exe
PID 4520 wrote to memory of 2536	4520	._cache_Synaptics.exe	computer.exe
PID 2536 wrote to memory of 4132	2536	computer.exe	._cache_computer.exe
PID 2536 wrote to memory of 4132	2536	computer.exe	._cache_computer.exe
PID 2536 wrote to memory of 4132	2536	computer.exe	._cache_computer.exe
PID 4584 wrote to memory of 4932	4584	Synaptics.exe	._cache_Synaptics.exe
PID 4584 wrote to memory of 4932	4584	Synaptics.exe	._cache_Synaptics.exe
PID 4584 wrote to memory of 4932	4584	Synaptics.exe	._cache_Synaptics.exe
PID 4932 wrote to memory of 3584	4932	._cache_Synaptics.exe	cmd.exe
PID 4932 wrote to memory of 3584	4932	._cache_Synaptics.exe	cmd.exe
PID 4932 wrote to memory of 3584	4932	._cache_Synaptics.exe	cmd.exe
PID 4932 wrote to memory of 4672	4932	._cache_Synaptics.exe	computer.exe
PID 4932 wrote to memory of 4672	4932	._cache_Synaptics.exe	computer.exe
PID 4932 wrote to memory of 4672	4932	._cache_Synaptics.exe	computer.exe
PID 4672 wrote to memory of 3848	4672	computer.exe	._cache_computer.exe
PID 4672 wrote to memory of 3848	4672	computer.exe	._cache_computer.exe
PID 4672 wrote to memory of 3848	4672	computer.exe	._cache_computer.exe
PID 1812 wrote to memory of 2220	1812	Synaptics.exe	._cache_Synaptics.exe
PID 1812 wrote to memory of 2220	1812	Synaptics.exe	._cache_Synaptics.exe
PID 1812 wrote to memory of 2220	1812	Synaptics.exe	._cache_Synaptics.exe
PID 2220 wrote to memory of 3440	2220	._cache_Synaptics.exe	cmd.exe
PID 2220 wrote to memory of 3440	2220	._cache_Synaptics.exe	cmd.exe
PID 2220 wrote to memory of 3440	2220	._cache_Synaptics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c md C:\windowss64
3⤵
PID:4380

C:\windowss64\computer.exe
"C:\windowss64\computer.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5032

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4584

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c md C:\windowss64
6⤵
PID:3584

C:\windowss64\computer.exe
"C:\windowss64\computer.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4672

C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"
7⤵
- Executes dropped EXE
PID:3848

\??\c:\Server_se.exe
c:\Server_se.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\._cache_Server_se.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Server_se.exe"
4⤵
- Executes dropped EXE
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 480
5⤵
- Program crash
PID:3588

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c md C:\windowss64
6⤵
PID:3440

C:\windowss64\computer.exe
"C:\windowss64\computer.exe"
6⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"
7⤵
PID:5060

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c md C:\windowss64
4⤵
PID:5112

C:\windowss64\computer.exe
"C:\windowss64\computer.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2500 -ip 2500
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
1.5MB

MD5
90ec6306c82c23bc93301410e61d2461

SHA1
e50b0625f4ec6598516c0a5e98bbc2d6dd0aa327

SHA256
1c78dfb017659c303502c97118fa9d2a6d8dcd02024350219a8ac4c4342dbbe4

SHA512
e13a680612ebc84081e91716188230dd050e3e28dfd206d2236cd4d9c48bf9ccb00294a133f31f2837f1f85fe1e16a95e8f2801e6fa5b9558cf233cac39c88a4

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
1.5MB

MD5
90ec6306c82c23bc93301410e61d2461

SHA1
e50b0625f4ec6598516c0a5e98bbc2d6dd0aa327

SHA256
1c78dfb017659c303502c97118fa9d2a6d8dcd02024350219a8ac4c4342dbbe4

SHA512
e13a680612ebc84081e91716188230dd050e3e28dfd206d2236cd4d9c48bf9ccb00294a133f31f2837f1f85fe1e16a95e8f2801e6fa5b9558cf233cac39c88a4

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
1.5MB

MD5
90ec6306c82c23bc93301410e61d2461

SHA1
e50b0625f4ec6598516c0a5e98bbc2d6dd0aa327

SHA256
1c78dfb017659c303502c97118fa9d2a6d8dcd02024350219a8ac4c4342dbbe4

SHA512
e13a680612ebc84081e91716188230dd050e3e28dfd206d2236cd4d9c48bf9ccb00294a133f31f2837f1f85fe1e16a95e8f2801e6fa5b9558cf233cac39c88a4

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
1.5MB

MD5
90ec6306c82c23bc93301410e61d2461

SHA1
e50b0625f4ec6598516c0a5e98bbc2d6dd0aa327

SHA256
1c78dfb017659c303502c97118fa9d2a6d8dcd02024350219a8ac4c4342dbbe4

SHA512
e13a680612ebc84081e91716188230dd050e3e28dfd206d2236cd4d9c48bf9ccb00294a133f31f2837f1f85fe1e16a95e8f2801e6fa5b9558cf233cac39c88a4

Download Submit
C:\Server_se.exe
Filesize
1.6MB

MD5
c326b83a1c289944a918f0dc22f7c003

SHA1
b835f673d18e44631d5e138e8d20243829ae93a7

SHA256
9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d

SHA512
8188fea4ebd3da84a752779a57b43e6f3cc573772dc305aff3f7173e7fc6c5be8f3f9629ab609a89603ee9ef5b27e31f79615f10dcecacb150866986cc6b3975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CYD2NY1G\exploror[1].exe
Filesize
1.1MB

MD5
be689578752179e22bf915dbcf4f7520

SHA1
e798e703bfb90707a2872b51da73f32af566aedb

SHA256
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

SHA512
89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Server_se.exe
Filesize
865KB

MD5
84336e3d11c2715b850e1029aff93803

SHA1
26c9e96ce4263bb599e3b92b6d52bf006d829ccb

SHA256
c5717a66a3b087ffcf68b53018bef0881d179922b7654eeab0075da195b5054a

SHA512
fbe5ade00745a2b287d63b3a3363f3ef6c14d274de61e7afafcbc646a98395bb7994da65429f1cc827e1ea2748f1b81c782ee98501611a46fc75410862198f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Server_se.exe
Filesize
865KB

MD5
84336e3d11c2715b850e1029aff93803

SHA1
26c9e96ce4263bb599e3b92b6d52bf006d829ccb

SHA256
c5717a66a3b087ffcf68b53018bef0881d179922b7654eeab0075da195b5054a

SHA512
fbe5ade00745a2b287d63b3a3363f3ef6c14d274de61e7afafcbc646a98395bb7994da65429f1cc827e1ea2748f1b81c782ee98501611a46fc75410862198f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
362KB

MD5
11354a4cb98f15439ab5444fd88e9bfe

SHA1
cc4c0e07f37f5d04f481d536cbe5068cf78fcf30

SHA256
6503d2695c614d42d223c485a554e34c06b47aaf9389ac58305aa17a7773c0e6

SHA512
b90c209df16e2530a21668b8d7c9aa0446fd280d4635ad1427bffc32777e0d9d52b57478ab08421593c1bef9e6804bf66fdaf40ee890b5f5d374173751e7ab0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
362KB

MD5
11354a4cb98f15439ab5444fd88e9bfe

SHA1
cc4c0e07f37f5d04f481d536cbe5068cf78fcf30

SHA256
6503d2695c614d42d223c485a554e34c06b47aaf9389ac58305aa17a7773c0e6

SHA512
b90c209df16e2530a21668b8d7c9aa0446fd280d4635ad1427bffc32777e0d9d52b57478ab08421593c1bef9e6804bf66fdaf40ee890b5f5d374173751e7ab0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
362KB

MD5
11354a4cb98f15439ab5444fd88e9bfe

SHA1
cc4c0e07f37f5d04f481d536cbe5068cf78fcf30

SHA256
6503d2695c614d42d223c485a554e34c06b47aaf9389ac58305aa17a7773c0e6

SHA512
b90c209df16e2530a21668b8d7c9aa0446fd280d4635ad1427bffc32777e0d9d52b57478ab08421593c1bef9e6804bf66fdaf40ee890b5f5d374173751e7ab0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
362KB

MD5
11354a4cb98f15439ab5444fd88e9bfe

SHA1
cc4c0e07f37f5d04f481d536cbe5068cf78fcf30

SHA256
6503d2695c614d42d223c485a554e34c06b47aaf9389ac58305aa17a7773c0e6

SHA512
b90c209df16e2530a21668b8d7c9aa0446fd280d4635ad1427bffc32777e0d9d52b57478ab08421593c1bef9e6804bf66fdaf40ee890b5f5d374173751e7ab0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
362KB

MD5
11354a4cb98f15439ab5444fd88e9bfe

SHA1
cc4c0e07f37f5d04f481d536cbe5068cf78fcf30

SHA256
6503d2695c614d42d223c485a554e34c06b47aaf9389ac58305aa17a7773c0e6

SHA512
b90c209df16e2530a21668b8d7c9aa0446fd280d4635ad1427bffc32777e0d9d52b57478ab08421593c1bef9e6804bf66fdaf40ee890b5f5d374173751e7ab0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
362KB

MD5
11354a4cb98f15439ab5444fd88e9bfe

SHA1
cc4c0e07f37f5d04f481d536cbe5068cf78fcf30

SHA256
6503d2695c614d42d223c485a554e34c06b47aaf9389ac58305aa17a7773c0e6

SHA512
b90c209df16e2530a21668b8d7c9aa0446fd280d4635ad1427bffc32777e0d9d52b57478ab08421593c1bef9e6804bf66fdaf40ee890b5f5d374173751e7ab0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
362KB

MD5
11354a4cb98f15439ab5444fd88e9bfe

SHA1
cc4c0e07f37f5d04f481d536cbe5068cf78fcf30

SHA256
6503d2695c614d42d223c485a554e34c06b47aaf9389ac58305aa17a7773c0e6

SHA512
b90c209df16e2530a21668b8d7c9aa0446fd280d4635ad1427bffc32777e0d9d52b57478ab08421593c1bef9e6804bf66fdaf40ee890b5f5d374173751e7ab0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
362KB

MD5
11354a4cb98f15439ab5444fd88e9bfe

SHA1
cc4c0e07f37f5d04f481d536cbe5068cf78fcf30

SHA256
6503d2695c614d42d223c485a554e34c06b47aaf9389ac58305aa17a7773c0e6

SHA512
b90c209df16e2530a21668b8d7c9aa0446fd280d4635ad1427bffc32777e0d9d52b57478ab08421593c1bef9e6804bf66fdaf40ee890b5f5d374173751e7ab0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe
Filesize
362KB

MD5
11354a4cb98f15439ab5444fd88e9bfe

SHA1
cc4c0e07f37f5d04f481d536cbe5068cf78fcf30

SHA256
6503d2695c614d42d223c485a554e34c06b47aaf9389ac58305aa17a7773c0e6

SHA512
b90c209df16e2530a21668b8d7c9aa0446fd280d4635ad1427bffc32777e0d9d52b57478ab08421593c1bef9e6804bf66fdaf40ee890b5f5d374173751e7ab0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe
Filesize
362KB

MD5
11354a4cb98f15439ab5444fd88e9bfe

SHA1
cc4c0e07f37f5d04f481d536cbe5068cf78fcf30

SHA256
6503d2695c614d42d223c485a554e34c06b47aaf9389ac58305aa17a7773c0e6

SHA512
b90c209df16e2530a21668b8d7c9aa0446fd280d4635ad1427bffc32777e0d9d52b57478ab08421593c1bef9e6804bf66fdaf40ee890b5f5d374173751e7ab0a

Download Submit
C:\windowss64\computer.exe
Filesize
1.1MB

MD5
be689578752179e22bf915dbcf4f7520

SHA1
e798e703bfb90707a2872b51da73f32af566aedb

SHA256
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

SHA512
89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

Download Submit
C:\windowss64\computer.exe
Filesize
1.1MB

MD5
be689578752179e22bf915dbcf4f7520

SHA1
e798e703bfb90707a2872b51da73f32af566aedb

SHA256
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

SHA512
89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

Download Submit
C:\windowss64\computer.exe
Filesize
1.1MB

MD5
be689578752179e22bf915dbcf4f7520

SHA1
e798e703bfb90707a2872b51da73f32af566aedb

SHA256
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

SHA512
89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

Download Submit
C:\windowss64\computer.exe
Filesize
1.1MB

MD5
be689578752179e22bf915dbcf4f7520

SHA1
e798e703bfb90707a2872b51da73f32af566aedb

SHA256
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

SHA512
89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

Download Submit
C:\windowss64\computer.exe
Filesize
1.1MB

MD5
be689578752179e22bf915dbcf4f7520

SHA1
e798e703bfb90707a2872b51da73f32af566aedb

SHA256
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

SHA512
89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

Download Submit
C:\windowss64\computer.exe
Filesize
1.1MB

MD5
be689578752179e22bf915dbcf4f7520

SHA1
e798e703bfb90707a2872b51da73f32af566aedb

SHA256
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

SHA512
89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

Download Submit
C:\windowss64\computer.exe
Filesize
1.1MB

MD5
be689578752179e22bf915dbcf4f7520

SHA1
e798e703bfb90707a2872b51da73f32af566aedb

SHA256
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

SHA512
89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

Download Submit
\??\c:\Server_se.exe
Filesize
1.6MB

MD5
c326b83a1c289944a918f0dc22f7c003

SHA1
b835f673d18e44631d5e138e8d20243829ae93a7

SHA256
9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d

SHA512
8188fea4ebd3da84a752779a57b43e6f3cc573772dc305aff3f7173e7fc6c5be8f3f9629ab609a89603ee9ef5b27e31f79615f10dcecacb150866986cc6b3975

Download Submit
memory/1416-3515-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1416-3513-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1416-1489-0x0000000000000000-mapping.dmp

Download
memory/1416-1493-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1416-1494-0x00000000776A0000-0x0000000077843000-memory.dmp

Filesize
1.6MB

Download
memory/1416-4055-0x0000000002720000-0x0000000002820000-memory.dmp

Filesize
1024KB

Download
memory/1416-4052-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1416-2420-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1416-1495-0x0000000076CF0000-0x0000000076F05000-memory.dmp

Filesize
2.1MB

Download
memory/1416-1497-0x0000000076060000-0x0000000076200000-memory.dmp

Filesize
1.6MB

Download
memory/1416-1498-0x0000000077430000-0x00000000774AA000-memory.dmp

Filesize
488KB

Download
memory/1416-3540-0x0000000002720000-0x0000000002820000-memory.dmp

Filesize
1024KB

Download
memory/1416-3537-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1416-3521-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1416-3517-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1812-5614-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1812-5619-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1812-2878-0x0000000077430000-0x00000000774AA000-memory.dmp

Filesize
488KB

Download
memory/1812-5613-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1812-3239-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1812-2860-0x0000000076CF0000-0x0000000076F05000-memory.dmp

Filesize
2.1MB

Download
memory/1812-5615-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1812-5640-0x00000000022A0000-0x00000000023A0000-memory.dmp

Filesize
1024KB

Download
memory/1812-2852-0x00000000776A0000-0x0000000077843000-memory.dmp

Filesize
1.6MB

Download
memory/1812-5616-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1812-5620-0x00000000022A0000-0x00000000023A0000-memory.dmp

Filesize
1024KB

Download
memory/1812-5639-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1812-2806-0x0000000000000000-mapping.dmp

Download
memory/1812-2872-0x0000000076060000-0x0000000076200000-memory.dmp

Filesize
1.6MB

Download
memory/1828-2712-0x0000000000000000-mapping.dmp

Download
memory/2000-132-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2000-1492-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2000-1484-0x0000000002490000-0x0000000002590000-memory.dmp

Filesize
1024KB

Download
memory/2000-1479-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2000-133-0x00000000776A0000-0x0000000077843000-memory.dmp

Filesize
1.6MB

Download
memory/2000-1480-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2000-1483-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2000-136-0x0000000076060000-0x0000000076200000-memory.dmp

Filesize
1.6MB

Download
memory/2000-134-0x0000000076CF0000-0x0000000076F05000-memory.dmp

Filesize
2.1MB

Download
memory/2000-1482-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2000-1481-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2000-137-0x0000000077430000-0x00000000774AA000-memory.dmp

Filesize
488KB

Download
memory/2220-5621-0x0000000000000000-mapping.dmp

Download
memory/2500-2829-0x0000000076CF0000-0x0000000076F05000-memory.dmp

Filesize
2.1MB

Download
memory/2500-2901-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2500-2792-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2500-2780-0x0000000000000000-mapping.dmp

Download
memory/2500-2823-0x00000000776A0000-0x0000000077843000-memory.dmp

Filesize
1.6MB

Download
memory/2536-3716-0x0000000000000000-mapping.dmp

Download
memory/2712-2354-0x0000000000000000-mapping.dmp

Download
memory/3440-5623-0x0000000000000000-mapping.dmp

Download
memory/3584-5467-0x0000000000000000-mapping.dmp

Download
memory/3848-5553-0x0000000000000000-mapping.dmp

Download
memory/4076-1485-0x0000000000000000-mapping.dmp

Download
memory/4076-2367-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4132-3784-0x0000000000000000-mapping.dmp

Download
memory/4232-5625-0x0000000000000000-mapping.dmp

Download
memory/4380-1488-0x0000000000000000-mapping.dmp

Download
memory/4520-3611-0x0000000000000000-mapping.dmp

Download
memory/4584-5386-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/4584-2410-0x0000000000000000-mapping.dmp

Download
memory/4584-5392-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/4584-5390-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/4584-5388-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/4584-2440-0x0000000076060000-0x0000000076200000-memory.dmp

Filesize
1.6MB

Download
memory/4584-2431-0x00000000776A0000-0x0000000077843000-memory.dmp

Filesize
1.6MB

Download
memory/4584-2443-0x0000000077430000-0x00000000774AA000-memory.dmp

Filesize
488KB

Download
memory/4584-5412-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/4584-2434-0x0000000076CF0000-0x0000000076F05000-memory.dmp

Filesize
2.1MB

Download
memory/4584-5415-0x0000000002300000-0x0000000002400000-memory.dmp

Filesize
1024KB

Download
memory/4584-2850-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/4584-5633-0x0000000002300000-0x0000000002400000-memory.dmp

Filesize
1024KB

Download
memory/4584-5632-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/4672-5514-0x0000000000000000-mapping.dmp

Download
memory/4932-5463-0x0000000000000000-mapping.dmp

Download
memory/5032-2389-0x0000000000000000-mapping.dmp

Download
memory/5032-2401-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/5060-5634-0x0000000000000000-mapping.dmp

Download
memory/5112-3619-0x0000000000000000-mapping.dmp

Download