ebb13c6320767291a2f1156acf6456b240d389ede54b53d9e148aa6b07a1152b

Analysis

max time kernel
108s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88.exe
Size

386KB
MD5

85dfb3535a10b2c1a5688de6cc3d8240
SHA1

16b2f3641ef3e1e94a437b1cf6ad8999eec367e7
SHA256

2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88
SHA512

d8cd83c0fa0b40e00931a2e6ae50fc4b9c4d710b6bdb069397266b55313f3534f57401bcb1665f04177a778e618e9a0bf875c1e53934e2b08be6bee0c74cfa51
SSDEEP

12288:PX4fljUcdN3yWSxAQQouKSFglssknxP4My/SmfV:PEBb3QpjOF4X/Sm

Score

8^/10

spyware stealer upx vmprotect

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\	prevhost.exe

Executes dropped EXE 7 IoCs

pid	Process
1128	drx.exe
1692	drh.exe
1408	svchost.exe
2016	bthudtask.exe
1412	prevhost.exe
1520	gbd018.exe
572	xwizard.exe

Loads dropped DLL 7 IoCs

pid	Process
552	cmd.exe
1692	drh.exe
1692	drh.exe
1800	pcwrun.exe
2016	bthudtask.exe
1408	svchost.exe
1404	diantz.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1524-54-0x000000013F550000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/1524-71-0x000000013F550000-0x000000013F634000-memory.dmp	upx
behavioral1/files/0x00060000000142c2-73.dat	upx
behavioral1/files/0x00060000000142c2-75.dat	upx
behavioral1/files/0x0008000000014120-77.dat	upx
behavioral1/files/0x0008000000014120-78.dat	upx
behavioral1/memory/1692-84-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1128-83-0x000000013F1F0000-0x000000013F2CB000-memory.dmp	upx
behavioral1/files/0x0006000000014489-88.dat	upx
behavioral1/files/0x0006000000014489-94.dat	upx
behavioral1/files/0x0006000000014489-91.dat	upx
behavioral1/files/0x0006000000014489-90.dat	upx
behavioral1/memory/1692-95-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1408-100-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1128-123-0x000000013F1F0000-0x000000013F2CB000-memory.dmp	upx
behavioral1/memory/1128-177-0x000000013F1F0000-0x000000013F2CB000-memory.dmp	upx
behavioral1/files/0x00060000000142c2-178.dat	upx
behavioral1/memory/1408-179-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1408-213-0x0000000000400000-0x00000000004F6000-memory.dmp	upx

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000600000001531c-196.dat	vmprotect
behavioral1/files/0x00070000000155f0-298.dat	vmprotect
behavioral1/memory/1412-315-0x0000000008AB0000-0x000000000915B000-memory.dmp	vmprotect
behavioral1/files/0x000500000000b3e2-451.dat	vmprotect

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\Baiqwx.tmp	prevhost.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	prevhost.exe
File created	C:\Windows\system32\eFsXgAH.sys	prevhost.exe
File created	C:\Windows\system32\t1CqoS.sys	prevhost.exe
File created	C:\Windows\system32\yJ9bt93.tmp	prevhost.exe
File created	C:\Windows\system32\QpjFXUE.sys	prevhost.exe
File created	C:\Windows\system32\X1n8WfifU.sys	prevhost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	prevhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2028	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.2345.com?90335-00624	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	Explorer.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\405B93CBBE92AF96B493A9FFE9ECE4D036A93D4E	prevhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\405B93CBBE92AF96B493A9FFE9ECE4D036A93D4E\Blob = 030000000100000014000000405b93cbbe92af96b493a9ffe9ece4d036a93d4e20000000010000004802000030820244308201ada003020102020100300d06092a864886f70d01010b05003046310b300906035504061302434e3137303506035504030c2e4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e205633301e170d3233303332313032333833325a170d3234303332303032333833325a3046310b300906035504061302434e3137303506035504030c2e4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e20563330819f300d06092a864886f70d010101050003818d0030818902818100be946a4dfed0c4bf08cb6cf237f5b5ab836bd06abd9d686e1f55335d3a6d47492d4f67ec15f943a6843a650a63f6f05a4b24b1ad58c7b2504d4345630343eefd9042bf2eefd78d8772e9632cd4d4ed002609dced4ecb30514ab73fb693297e51f9b0212970fdabafd5ebb6288c0aa239d4d737913f87dec4808e754ae6cfd46f0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414468114e33a728ade95ac58a9ffdcd934d64a7786300d06092a864886f70d01010b050003818100a87a37aa68187a79fddfde8ee6beb1ac4432d05f1023e4fc38bc15ad712870fd81bf1f74e4c2ceb296a08389440672c3b8cb32456796b1f0fd2aa17d16c464f21dcc7d38aa9acb2f2b7a1a25deb45f8065981ad0af789cb57068a1771e6ec7399a83f74bfe23437b2204a18035dc4299ee706822442cfea5a1a95fa8e4a26b19	prevhost.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1692	drh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1128	drx.exe
1128	drx.exe
1128	drx.exe
1128	drx.exe
1128	drx.exe
1128	drx.exe
1128	drx.exe
1800	pcwrun.exe
1800	pcwrun.exe
1800	pcwrun.exe
2016	bthudtask.exe
2016	bthudtask.exe
1412	prevhost.exe
1412	prevhost.exe
1184	Explorer.EXE
1184	Explorer.EXE
1412	prevhost.exe
1412	prevhost.exe
1404	diantz.exe
1404	diantz.exe
1184	Explorer.EXE
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1184	Explorer.EXE
1404	diantz.exe
1184	Explorer.EXE
1412	prevhost.exe
1412	prevhost.exe
1184	Explorer.EXE
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1184	Explorer.EXE
1412	prevhost.exe
1184	Explorer.EXE
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1184	Explorer.EXE
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1184	Explorer.EXE
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1184	Explorer.EXE
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe
1412	prevhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1412	prevhost.exe
1184	Explorer.EXE

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	drx.exe
Token: SeTcbPrivilege	1128	drx.exe
Token: SeDebugPrivilege	1128	drx.exe
Token: SeDebugPrivilege	1800	pcwrun.exe
Token: SeTcbPrivilege	1800	pcwrun.exe
Token: SeCreateTokenPrivilege	1800	pcwrun.exe
Token: SeAssignPrimaryTokenPrivilege	1800	pcwrun.exe
Token: SeLockMemoryPrivilege	1800	pcwrun.exe
Token: SeIncreaseQuotaPrivilege	1800	pcwrun.exe
Token: SeMachineAccountPrivilege	1800	pcwrun.exe
Token: SeTcbPrivilege	1800	pcwrun.exe
Token: SeSecurityPrivilege	1800	pcwrun.exe
Token: SeTakeOwnershipPrivilege	1800	pcwrun.exe
Token: SeLoadDriverPrivilege	1800	pcwrun.exe
Token: SeSystemProfilePrivilege	1800	pcwrun.exe
Token: SeSystemtimePrivilege	1800	pcwrun.exe
Token: SeProfSingleProcessPrivilege	1800	pcwrun.exe
Token: SeIncBasePriorityPrivilege	1800	pcwrun.exe
Token: SeCreatePagefilePrivilege	1800	pcwrun.exe
Token: SeCreatePermanentPrivilege	1800	pcwrun.exe
Token: SeBackupPrivilege	1800	pcwrun.exe
Token: SeRestorePrivilege	1800	pcwrun.exe
Token: SeShutdownPrivilege	1800	pcwrun.exe
Token: SeDebugPrivilege	1800	pcwrun.exe
Token: SeAuditPrivilege	1800	pcwrun.exe
Token: SeSystemEnvironmentPrivilege	1800	pcwrun.exe
Token: SeChangeNotifyPrivilege	1800	pcwrun.exe
Token: SeRemoteShutdownPrivilege	1800	pcwrun.exe
Token: SeUndockPrivilege	1800	pcwrun.exe
Token: SeSyncAgentPrivilege	1800	pcwrun.exe
Token: SeEnableDelegationPrivilege	1800	pcwrun.exe
Token: SeManageVolumePrivilege	1800	pcwrun.exe
Token: SeImpersonatePrivilege	1800	pcwrun.exe
Token: SeCreateGlobalPrivilege	1800	pcwrun.exe
Token: 31	1800	pcwrun.exe
Token: 32	1800	pcwrun.exe
Token: 33	1800	pcwrun.exe
Token: 34	1800	pcwrun.exe
Token: 35	1800	pcwrun.exe
Token: SeDebugPrivilege	1800	pcwrun.exe
Token: SeDebugPrivilege	2016	bthudtask.exe
Token: SeTcbPrivilege	2016	bthudtask.exe
Token: SeCreateTokenPrivilege	2016	bthudtask.exe
Token: SeAssignPrimaryTokenPrivilege	2016	bthudtask.exe
Token: SeLockMemoryPrivilege	2016	bthudtask.exe
Token: SeIncreaseQuotaPrivilege	2016	bthudtask.exe
Token: SeMachineAccountPrivilege	2016	bthudtask.exe
Token: SeTcbPrivilege	2016	bthudtask.exe
Token: SeSecurityPrivilege	2016	bthudtask.exe
Token: SeTakeOwnershipPrivilege	2016	bthudtask.exe
Token: SeLoadDriverPrivilege	2016	bthudtask.exe
Token: SeSystemProfilePrivilege	2016	bthudtask.exe
Token: SeSystemtimePrivilege	2016	bthudtask.exe
Token: SeProfSingleProcessPrivilege	2016	bthudtask.exe
Token: SeIncBasePriorityPrivilege	2016	bthudtask.exe
Token: SeCreatePagefilePrivilege	2016	bthudtask.exe
Token: SeCreatePermanentPrivilege	2016	bthudtask.exe
Token: SeBackupPrivilege	2016	bthudtask.exe
Token: SeRestorePrivilege	2016	bthudtask.exe
Token: SeShutdownPrivilege	2016	bthudtask.exe
Token: SeDebugPrivilege	2016	bthudtask.exe
Token: SeAuditPrivilege	2016	bthudtask.exe
Token: SeSystemEnvironmentPrivilege	2016	bthudtask.exe
Token: SeChangeNotifyPrivilege	2016	bthudtask.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 552	1524	2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88.exe	27
PID 1524 wrote to memory of 552	1524	2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88.exe	27
PID 1524 wrote to memory of 552	1524	2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88.exe	27
PID 552 wrote to memory of 1128	552	cmd.exe	29
PID 552 wrote to memory of 1128	552	cmd.exe	29
PID 552 wrote to memory of 1128	552	cmd.exe	29
PID 552 wrote to memory of 1692	552	cmd.exe	30
PID 552 wrote to memory of 1692	552	cmd.exe	30
PID 552 wrote to memory of 1692	552	cmd.exe	30
PID 552 wrote to memory of 1692	552	cmd.exe	30
PID 1692 wrote to memory of 1408	1692	drh.exe	31
PID 1692 wrote to memory of 1408	1692	drh.exe	31
PID 1692 wrote to memory of 1408	1692	drh.exe	31
PID 1692 wrote to memory of 1408	1692	drh.exe	31
PID 1128 wrote to memory of 1800	1128	drx.exe	34
PID 1128 wrote to memory of 1800	1128	drx.exe	34
PID 1128 wrote to memory of 1800	1128	drx.exe	34
PID 1128 wrote to memory of 1800	1128	drx.exe	34
PID 1128 wrote to memory of 1800	1128	drx.exe	34
PID 1128 wrote to memory of 1800	1128	drx.exe	34
PID 1128 wrote to memory of 1800	1128	drx.exe	34
PID 1128 wrote to memory of 1800	1128	drx.exe	34
PID 1800 wrote to memory of 2016	1800	pcwrun.exe	35
PID 1800 wrote to memory of 2016	1800	pcwrun.exe	35
PID 1800 wrote to memory of 2016	1800	pcwrun.exe	35
PID 1800 wrote to memory of 2016	1800	pcwrun.exe	35
PID 1800 wrote to memory of 2016	1800	pcwrun.exe	35
PID 1800 wrote to memory of 2016	1800	pcwrun.exe	35
PID 1800 wrote to memory of 2016	1800	pcwrun.exe	35
PID 1800 wrote to memory of 2016	1800	pcwrun.exe	35
PID 1800 wrote to memory of 2016	1800	pcwrun.exe	35
PID 2016 wrote to memory of 808	2016	bthudtask.exe	22
PID 2016 wrote to memory of 808	2016	bthudtask.exe	22
PID 2016 wrote to memory of 808	2016	bthudtask.exe	22
PID 2016 wrote to memory of 808	2016	bthudtask.exe	22
PID 2016 wrote to memory of 808	2016	bthudtask.exe	22
PID 2016 wrote to memory of 808	2016	bthudtask.exe	22
PID 2016 wrote to memory of 1412	2016	bthudtask.exe	36
PID 2016 wrote to memory of 1412	2016	bthudtask.exe	36
PID 2016 wrote to memory of 1412	2016	bthudtask.exe	36
PID 2016 wrote to memory of 808	2016	bthudtask.exe	22
PID 2016 wrote to memory of 1412	2016	bthudtask.exe	36
PID 2016 wrote to memory of 1412	2016	bthudtask.exe	36
PID 2016 wrote to memory of 1412	2016	bthudtask.exe	36
PID 2016 wrote to memory of 1412	2016	bthudtask.exe	36
PID 2016 wrote to memory of 1412	2016	bthudtask.exe	36
PID 1412 wrote to memory of 2028	1412	prevhost.exe	38
PID 1412 wrote to memory of 2028	1412	prevhost.exe	38
PID 1412 wrote to memory of 2028	1412	prevhost.exe	38
PID 1128 wrote to memory of 760	1128	drx.exe	40
PID 1128 wrote to memory of 760	1128	drx.exe	40
PID 1128 wrote to memory of 760	1128	drx.exe	40
PID 1412 wrote to memory of 2016	1412	prevhost.exe	35
PID 1412 wrote to memory of 2016	1412	prevhost.exe	35
PID 1412 wrote to memory of 2016	1412	prevhost.exe	35
PID 1412 wrote to memory of 2016	1412	prevhost.exe	35
PID 1412 wrote to memory of 2016	1412	prevhost.exe	35
PID 1408 wrote to memory of 1520	1408	svchost.exe	41
PID 1408 wrote to memory of 1520	1408	svchost.exe	41
PID 1408 wrote to memory of 1520	1408	svchost.exe	41
PID 1408 wrote to memory of 1520	1408	svchost.exe	41
PID 1412 wrote to memory of 1184	1412	prevhost.exe	12
PID 1412 wrote to memory of 1184	1412	prevhost.exe	12
PID 1412 wrote to memory of 1184	1412	prevhost.exe	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1184
- C:\Users\Admin\AppData\Local\Temp\2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88.exe
  "C:\Users\Admin\AppData\Local\Temp\2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\system32\cmd.exe
    cmd /c C:\\Windows\\Temp\\drive\\xh.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\Temp\drive\drx.exe
      C:\Windows\Temp\drive\drx.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\system32\pcwrun.exe
        
        "C:\Windows\system32\pcwrun.exe"
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\bthudtask.exe
        
        C:\Users\Admin\AppData\Local\Temp\\bthudtask.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\31bg040\prevhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\31bg040\prevhost.exe"
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\windows\system32\ipconfig.exe
        
        /flushdns
        8⤵
        Gathers network information
        
        PID:2028
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Windows\Temp\drive\drx.exe"
        5⤵
        
        PID:760
  - - C:\Windows\Temp\drive\drh.exe
      C:\Windows\Temp\drive\drh.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe" -p C:\Windows\Temp\drive\drh.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Users\Admin\AppData\Roaming\MiniDownloader\gbd018.exe
        
        "C:\Users\Admin\AppData\Roaming\MiniDownloader\gbd018.exe" -c 3057 -m C:\Users\Admin\AppData\Roaming\MiniDownloader\MiniDownloader.exe -b C:\Users\Admin\AppData\Roaming\MiniDownloader\gamebox\GameBox_SNDA.exe
        6⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\system32\winload.exe
        
        "C:\Windows\system32\winload.exe"
        7⤵
        
        PID:1628
        
        C:\Windows\system32\diantz.exe
        
        "C:\Windows\system32\diantz.exe"
        7⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\xwizard.exe
        
        C:\Users\Admin\AppData\Local\Temp\\xwizard.exe
        8⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Users\Admin\AppData\Roaming\MiniDownloader\gbd018.exe"
        7⤵
        
        PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
15789cffc595ef231aa9aa95fe8a0624

SHA1
9696d0baeb89c4e59bd227f78d785e4b20b33e72

SHA256
2bcf0dfb5b4083e45844218d9a5dc801386eb21d0eb20ddc4f08280b558cbb67

SHA512
fd2c1fca8f1282dab6fec949c74e289db648818075209c0a4b2b1cd1752c8829380a95cd4dc406496d508510b8a1946b7e6fcd8ad59c3a945401c589cb31ec9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
1KB

MD5
872b5e4de30bbe4b779aa524fb7a0530

SHA1
ba002c3a4030390bad4dea19358bc793c0c1b9da

SHA256
41fea58d7a754481d584811b943e424efa68ca64956dd32a22434c4b75f3d413

SHA512
9b77aad34e38c9b873ffd79fe1b5050530e01018ca5a0b92b797b7eeaa5b51bb059febc2b9b466dffeb558a99acb57e5e47d2e2bc419ca1a271a98b68345bdf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
aa9fc42e99840d41613af39d500a91cc

SHA1
d70ca8a0f0923066d54de46024b7c1270c77e936

SHA256
0b1ff6753ce28a2645b51348e60ced844bce8d1d6ee88e51cde798a00f1f3634

SHA512
e305b5dd8b680ee4642c6fb94d33f99903ce21d80b4098b962cb82afc1c9ed9d329e39f14b2cf6ccbf6d9bbba30bf923156a3ef289456e934d5fc6dd43626d91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
7742379f6b07a3b203477e4004ddfe4e

SHA1
91affc834982af6d777767d756c34926b81cba33

SHA256
408595a8532fbae89ee67d3edb432263f8bcfa0e87e3c84cd6da4ec3a8701902

SHA512
f12b74a0f0d15e5089e9c59550e580784a8f2ff868d9585c414b77cb08d23847af21faa91dc24619d2251ccba1ebc9c749cdd54333350a5d47e0181b2b59399c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
532B

MD5
bffa7b5499cd38dd7183ac28b210b5af

SHA1
2be55843fbf2cafbf7393dd6ebe5a1c2d762d3ff

SHA256
48f7daeeabd137d329912609dade751d26a10bd4553b93269580bd11270618f4

SHA512
0aebdf962d0ff64dd5abaae804d457688150c86d8f0110bb70dc6ceaac3332501c2687a615f586d3506f298bda316c8195e8d5d98c2f7a2fe23de9863fdacee3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e0f4eceede9f32bcfe3cf01ac3b3e93

SHA1
0082ad36d309817cfa1bf98b88b17aedce7c7028

SHA256
be99647829c871710d1e8e2755fe3e00120c02124ef8f62df893a2213ea04874

SHA512
fb404ab66ada128f79b391490e505b1bca6d9fbe821bdc8b4f43f9cd46ac90a419eb2e63c8dcaff424ff11b808761432b35db193a72080d68347eafab7f5a086

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
38d487b283ec045385d2f0744fdf84d0

SHA1
f397bb6cb35312360e790848ac3ea49f0bab9354

SHA256
d0c0f5a22cd6e93b2959978006c47d70b7d9ff97dca8cbbcbfcd07999df3fbc0

SHA512
aeb22ab4ba1f0f45e19a9b4c3c34790955ab659dea398b666636af76f0a6bee5245db3c9cdb891cbab02b5508f03bb0974150c4592c951bf8c6565c03259ba47

Download Submit
C:\Users\Admin\AppData\Local\Temp\31bg040\prevhost.exe

Filesize
30KB

MD5
6b05d2c6a32f3d7ce89e4ecef7c3b7a5

SHA1
49b7607df897788e4d16f479c3be819563c73dc1

SHA256
498d3af840f93f247619565a3b1e40894900d5d162cb71b63592b3711fe787b7

SHA512
d9fe83326a96a74c4f9457544b79c04845ae0daf3d94f321ba8d35de66b508595a4484a0d27157fbad3faffb10444582e8dd7d765d85e802fcc0ee3210c225ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBF1C.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC11F.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bthudtask.exe

Filesize
25KB

MD5
f6f21358dd6bbc65ba45ca595e557611

SHA1
e6a46fcdeb46668feb96484ba8cd3b31f5486e0b

SHA256
e2d39f40a48ef9155a2591ae26ef1bdfc9590dbef9955c063e182d1a5f1776f5

SHA512
3e4e6866f10fe554ffb2f030c986897a568e9e054f351ad3430bdc13c941f76fda266253a4ad928aa76bb497c862c89a39bfd13fcdc33e251eeae8ff27964caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pic24C0.tmp

Filesize
3KB

MD5
7119be648c798ec949869fecf3678fdf

SHA1
80432c6c8422751c3f42d1feabdbe6209d82bb83

SHA256
596583f8cd154569defe1b0c3307d2ff32b78185a8eb7a75ae15a5bb44bd5686

SHA512
8e8f139ccc4e584392c8e2d78027442512332f9e6273de6af917fa5632529dc6c04ecfbc16a6dafd943f5cd382e211a96f23d52bdef84f8c1aa0946a301cc23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
115KB

MD5
b9624604528aa545a3303ddc3ea3b9d7

SHA1
c4b95895b13bc83c96d945034de4c0460c764572

SHA256
278e8bd017ac178fce9a847e0f326ed104647ccd43635e7ec45065d76a8efa31

SHA512
e3421ab696db44d61fc62ac5ca94826f7f19f202c31dff0e3cc04ed4f18495fccfd4f748bf42beeaecb7a2abfabbbb065b6fade8db3856d3123b1ed7b93497d3

Download Submit
C:\Users\Admin\AppData\Roaming\MiniDownloader\gbd018.exe

Filesize
400KB

MD5
ab7f70ee178c8d7a64b4ee6d510e17e5

SHA1
ee91abc75493905b8a4b19d30a1c638d861043ff

SHA256
1a8a02677bc69fa970a26ce35bbfcef1380bd7acffe95ff3478cf01bc5374a5f

SHA512
5235185f01ebc7b140e603a96c9480c2bd90b5ba2315273d4fc6021144416c2c7551ab968e0e04eb3870d2e5b2791c703c5d88671d9f89e2204723fafaaeb738

Download Submit
C:\Users\Admin\AppData\Roaming\MiniDownloader\gbd018.exe

Filesize
400KB

MD5
ab7f70ee178c8d7a64b4ee6d510e17e5

SHA1
ee91abc75493905b8a4b19d30a1c638d861043ff

SHA256
1a8a02677bc69fa970a26ce35bbfcef1380bd7acffe95ff3478cf01bc5374a5f

SHA512
5235185f01ebc7b140e603a96c9480c2bd90b5ba2315273d4fc6021144416c2c7551ab968e0e04eb3870d2e5b2791c703c5d88671d9f89e2204723fafaaeb738

Download Submit
C:\Users\Admin\AppData\Roaming\MiniDownloader\gbd018.exe

Filesize
400KB

MD5
ab7f70ee178c8d7a64b4ee6d510e17e5

SHA1
ee91abc75493905b8a4b19d30a1c638d861043ff

SHA256
1a8a02677bc69fa970a26ce35bbfcef1380bd7acffe95ff3478cf01bc5374a5f

SHA512
5235185f01ebc7b140e603a96c9480c2bd90b5ba2315273d4fc6021144416c2c7551ab968e0e04eb3870d2e5b2791c703c5d88671d9f89e2204723fafaaeb738

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
388KB

MD5
abefa84914063eefadb4385db44ebb82

SHA1
f5ccbf861703b86b16e083fa25245816d517f136

SHA256
72a5ba430d274e7f5c62be710924541bd557721eb66fe2870e439d5b614602b6

SHA512
760e72754f10629b820944db4a59b47d439c8919c9392985adc5c0fb9e873ad1f7a6ea9670fa642a1f733da34fa41e128c12d54eb33b8537cb7ecee56329abc8

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
388KB

MD5
abefa84914063eefadb4385db44ebb82

SHA1
f5ccbf861703b86b16e083fa25245816d517f136

SHA256
72a5ba430d274e7f5c62be710924541bd557721eb66fe2870e439d5b614602b6

SHA512
760e72754f10629b820944db4a59b47d439c8919c9392985adc5c0fb9e873ad1f7a6ea9670fa642a1f733da34fa41e128c12d54eb33b8537cb7ecee56329abc8

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
194KB

MD5
4acd242461869b407b432df0a5737445

SHA1
7b5a6c75647c39583645347131cdc2615af1de5b

SHA256
4bc2e0f89697ebab69b0503e07968438561d92f9549b80f4bb710c834ef89b7a

SHA512
493f0ad7ce75cda8ba501119bb564e0304c1ad0081dbba745c9b92829b75778c8277f3d9e433ff30661b6cc6604ee6aaa7a0cbf388de330a8469a3e7908161d7

Download Submit
C:\Windows\Temp\drive\drh.exe

Filesize
388KB

MD5
abefa84914063eefadb4385db44ebb82

SHA1
f5ccbf861703b86b16e083fa25245816d517f136

SHA256
72a5ba430d274e7f5c62be710924541bd557721eb66fe2870e439d5b614602b6

SHA512
760e72754f10629b820944db4a59b47d439c8919c9392985adc5c0fb9e873ad1f7a6ea9670fa642a1f733da34fa41e128c12d54eb33b8537cb7ecee56329abc8

Download Submit
C:\Windows\Temp\drive\drh.exe

Filesize
388KB

MD5
abefa84914063eefadb4385db44ebb82

SHA1
f5ccbf861703b86b16e083fa25245816d517f136

SHA256
72a5ba430d274e7f5c62be710924541bd557721eb66fe2870e439d5b614602b6

SHA512
760e72754f10629b820944db4a59b47d439c8919c9392985adc5c0fb9e873ad1f7a6ea9670fa642a1f733da34fa41e128c12d54eb33b8537cb7ecee56329abc8

Download Submit
C:\Windows\Temp\drive\drm.exe

Filesize
1.0MB

MD5
e01e6c30fd7f297709e84c64b7679e08

SHA1
6c7c81868eabf557d910c7e10b0beb842c3e2aba

SHA256
fa995a0ea7d92837a6a7df6068a612fd1805d85edfe042a66ee9db45befde4fd

SHA512
82624dd0900d4766b81f8674ad3a73ad73b2394e0178bd5fe47d45780b665699f46620bbe1a72179b7dce3ce5ecf1967852d8f8917a56a1a254dee502c015c71

Download Submit
C:\Windows\Temp\drive\drx.exe

Filesize
222KB

MD5
fda6409e19a40a1b6dc73568199331f7

SHA1
a61f7250bd1f776c3dc63eaf12770690a399f25d

SHA256
b4937c04c982c68bacaeb575765d01aa5cdcacc8d42bfd7d62a51e19a1b4e0e5

SHA512
e33c360527cd6af875b60bce8ad95ded315a310975c62e122895b8957c3ebbd16ed984a8834e7c83bf690a0f92bdec773fb9c7ddb3a56ff10705c5520b0e0e84

Download Submit
C:\Windows\Temp\drive\drx.exe

Filesize
222KB

MD5
fda6409e19a40a1b6dc73568199331f7

SHA1
a61f7250bd1f776c3dc63eaf12770690a399f25d

SHA256
b4937c04c982c68bacaeb575765d01aa5cdcacc8d42bfd7d62a51e19a1b4e0e5

SHA512
e33c360527cd6af875b60bce8ad95ded315a310975c62e122895b8957c3ebbd16ed984a8834e7c83bf690a0f92bdec773fb9c7ddb3a56ff10705c5520b0e0e84

Download Submit
C:\Windows\Temp\drive\hm.bat

Filesize
324B

MD5
a1db8b2ee6e2af40836f5c4848164a14

SHA1
0f51f0dd04d8977aa399061c0de2c72d542805cf

SHA256
910c02712b3016f3262910c35aa7ac4097d6b94e7e8698a484709138be077310

SHA512
252f444482cf923400f31cdc8f10d3f62b5fbc91b48ce3cccc027e9f0884eb32fd6d401cd7e54b2cde1d52ef041f65aedb3638964f994eec599cf5ba28367002

Download Submit
C:\Windows\Temp\drive\xh.bat

Filesize
328B

MD5
b42ac94f654b4e371310c962fe1b08e2

SHA1
82901a2d88d13bf4ccad9e78556dba99b14538c2

SHA256
07499578ae0e4031ea05d3551fcae32f5ba990025a8706e3038662f2ac5a5f71

SHA512
c10a9ae4d2985c84a90b0b7d64383cba13d758985cfc8ae8a668b1ee77746eb9e27a218b14d6b820fe46bcf9f89055ecb1eb9ef8d07329ec336fd4fc3f3e1ff3

Download Submit
C:\Windows\Temp\drive\xh.bat

Filesize
328B

MD5
b42ac94f654b4e371310c962fe1b08e2

SHA1
82901a2d88d13bf4ccad9e78556dba99b14538c2

SHA256
07499578ae0e4031ea05d3551fcae32f5ba990025a8706e3038662f2ac5a5f71

SHA512
c10a9ae4d2985c84a90b0b7d64383cba13d758985cfc8ae8a668b1ee77746eb9e27a218b14d6b820fe46bcf9f89055ecb1eb9ef8d07329ec336fd4fc3f3e1ff3

Download Submit
C:\Windows\Temp\drive\xhm.bat

Filesize
368B

MD5
7e064812fb4a4569e17cb36180dcb751

SHA1
0a8c3d38e4c41d3bf030dd0b1f5d8483762546f9

SHA256
68cff3c1444990c07673e234f919a2307380d2a15b66798138bce64be4f75a29

SHA512
e6d62fc3700f43bcb9b9657e1c7daa0e6acd245f8243aee53165288d9e3ae3369af1143dcdec3f560da093b9ffdee5b6d8ffe0c4153b845752bff7106848ac32

Download Submit
C:\Windows\Temp\drive\xm.bat

Filesize
324B

MD5
91609f2b4b51dcc2efbd995aed4c2793

SHA1
06b0622385a48f0c540613bd1ae790dff8a2eb03

SHA256
1108576aa92bfb0a222b6c1cca599b5a549a9ee05e166fd4d47c106d1f5edc51

SHA512
2260fc4237212947daa8170621d32327049f0cb3b6cf41272f16b023a8be2ba99cf4f0986ee4a947fa7230927ed2f92bb0062721d04f43d5349ac81855f090d0

Download Submit
C:\Windows\system32\X1n8WfifU.sys

Filesize
894KB

MD5
94bb2efa85620433d3cb7828765766d0

SHA1
65fab35c68b97219f5768dbc97d7f6a245ab00a1

SHA256
68790bff3426580e5f1c94c731d36ec927c42989dfd767df6f3b6464376c0242

SHA512
86ca3c612ef973c78dd7aff46b2ed5e46051f9df680e991f884f00a83897ea8a5829c9b29db89c196d285afd53176cb2a97dee58ae3952785880712730dace50

Download Submit
C:\Windows\system32\eFsXgAH.sys

Filesize
902KB

MD5
3fb3ce41f5ac7fbd7e1669b5f09b032f

SHA1
7e4702f7f408e11e3492859164d90fb9ed822b07

SHA256
928b9c796167ca3cb67d52c429f7efd7f3e6e3ff492887bdf94b81ded1f36585

SHA512
9856019c1d09de54be29e8c121de825e75ff0bac0d27b0e5b3707f137690738ac5e6932c9395a7bf9de7a08d92c02b8d71abc44439f93f3df3aeed08923e7b47

Download Submit
C:\Windows\system32\t1CqoS.sys

Filesize
894KB

MD5
94bb2efa85620433d3cb7828765766d0

SHA1
65fab35c68b97219f5768dbc97d7f6a245ab00a1

SHA256
68790bff3426580e5f1c94c731d36ec927c42989dfd767df6f3b6464376c0242

SHA512
86ca3c612ef973c78dd7aff46b2ed5e46051f9df680e991f884f00a83897ea8a5829c9b29db89c196d285afd53176cb2a97dee58ae3952785880712730dace50

Download Submit
\Users\Admin\AppData\Local\Temp\31bg040\prevhost.exe

Filesize
30KB

MD5
6b05d2c6a32f3d7ce89e4ecef7c3b7a5

SHA1
49b7607df897788e4d16f479c3be819563c73dc1

SHA256
498d3af840f93f247619565a3b1e40894900d5d162cb71b63592b3711fe787b7

SHA512
d9fe83326a96a74c4f9457544b79c04845ae0daf3d94f321ba8d35de66b508595a4484a0d27157fbad3faffb10444582e8dd7d765d85e802fcc0ee3210c225ea

Download Submit
\Users\Admin\AppData\Local\Temp\bthudtask.exe

Filesize
25KB

MD5
f6f21358dd6bbc65ba45ca595e557611

SHA1
e6a46fcdeb46668feb96484ba8cd3b31f5486e0b

SHA256
e2d39f40a48ef9155a2591ae26ef1bdfc9590dbef9955c063e182d1a5f1776f5

SHA512
3e4e6866f10fe554ffb2f030c986897a568e9e054f351ad3430bdc13c941f76fda266253a4ad928aa76bb497c862c89a39bfd13fcdc33e251eeae8ff27964caf

Download Submit
\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
115KB

MD5
b9624604528aa545a3303ddc3ea3b9d7

SHA1
c4b95895b13bc83c96d945034de4c0460c764572

SHA256
278e8bd017ac178fce9a847e0f326ed104647ccd43635e7ec45065d76a8efa31

SHA512
e3421ab696db44d61fc62ac5ca94826f7f19f202c31dff0e3cc04ed4f18495fccfd4f748bf42beeaecb7a2abfabbbb065b6fade8db3856d3123b1ed7b93497d3

Download Submit
\Users\Admin\AppData\Roaming\MiniDownloader\gbd018.exe

Filesize
400KB

MD5
ab7f70ee178c8d7a64b4ee6d510e17e5

SHA1
ee91abc75493905b8a4b19d30a1c638d861043ff

SHA256
1a8a02677bc69fa970a26ce35bbfcef1380bd7acffe95ff3478cf01bc5374a5f

SHA512
5235185f01ebc7b140e603a96c9480c2bd90b5ba2315273d4fc6021144416c2c7551ab968e0e04eb3870d2e5b2791c703c5d88671d9f89e2204723fafaaeb738

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
388KB

MD5
abefa84914063eefadb4385db44ebb82

SHA1
f5ccbf861703b86b16e083fa25245816d517f136

SHA256
72a5ba430d274e7f5c62be710924541bd557721eb66fe2870e439d5b614602b6

SHA512
760e72754f10629b820944db4a59b47d439c8919c9392985adc5c0fb9e873ad1f7a6ea9670fa642a1f733da34fa41e128c12d54eb33b8537cb7ecee56329abc8

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
388KB

MD5
abefa84914063eefadb4385db44ebb82

SHA1
f5ccbf861703b86b16e083fa25245816d517f136

SHA256
72a5ba430d274e7f5c62be710924541bd557721eb66fe2870e439d5b614602b6

SHA512
760e72754f10629b820944db4a59b47d439c8919c9392985adc5c0fb9e873ad1f7a6ea9670fa642a1f733da34fa41e128c12d54eb33b8537cb7ecee56329abc8

Download Submit
\Windows\Temp\drive\drx.exe

Filesize
222KB

MD5
fda6409e19a40a1b6dc73568199331f7

SHA1
a61f7250bd1f776c3dc63eaf12770690a399f25d

SHA256
b4937c04c982c68bacaeb575765d01aa5cdcacc8d42bfd7d62a51e19a1b4e0e5

SHA512
e33c360527cd6af875b60bce8ad95ded315a310975c62e122895b8957c3ebbd16ed984a8834e7c83bf690a0f92bdec773fb9c7ddb3a56ff10705c5520b0e0e84

Download Submit
memory/572-296-0x0000000002AA0000-0x0000000002FE4000-memory.dmp

Filesize
5.3MB

Download
memory/808-158-0x0000000002280000-0x00000000027C7000-memory.dmp

Filesize
5.3MB

Download
memory/1128-83-0x000000013F1F0000-0x000000013F2CB000-memory.dmp

Filesize
876KB

Download
memory/1128-177-0x000000013F1F0000-0x000000013F2CB000-memory.dmp

Filesize
876KB

Download
memory/1128-99-0x000007FE7D990000-0x000007FE7D991000-memory.dmp

Filesize
4KB

Download
memory/1128-98-0x000007FE7D980000-0x000007FE7D981000-memory.dmp

Filesize
4KB

Download
memory/1128-97-0x000007FE7D970000-0x000007FE7D971000-memory.dmp

Filesize
4KB

Download
memory/1128-123-0x000000013F1F0000-0x000000013F2CB000-memory.dmp

Filesize
876KB

Download
memory/1128-96-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1184-355-0x0000000003F10000-0x0000000003F11000-memory.dmp

Filesize
4KB

Download
memory/1184-352-0x0000000008140000-0x0000000008257000-memory.dmp

Filesize
1.1MB

Download
memory/1184-233-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/1184-234-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/1184-232-0x00000000074A0000-0x000000000765D000-memory.dmp

Filesize
1.7MB

Download
memory/1184-222-0x0000000004FF0000-0x00000000050B4000-memory.dmp

Filesize
784KB

Download
memory/1404-264-0x00000000021A0000-0x0000000002720000-memory.dmp

Filesize
5.5MB

Download
memory/1404-300-0x00000000021A0000-0x0000000002720000-memory.dmp

Filesize
5.5MB

Download
memory/1408-179-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1408-100-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1408-101-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-213-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1412-303-0x0000000005290000-0x000000000533E000-memory.dmp

Filesize
696KB

Download
memory/1412-272-0x00000000021A0000-0x0000000002720000-memory.dmp

Filesize
5.5MB

Download
memory/1412-200-0x0000000000EB0000-0x0000000000ECC000-memory.dmp

Filesize
112KB

Download
memory/1412-366-0x0000000005AC0000-0x0000000005B70000-memory.dmp

Filesize
704KB

Download
memory/1412-364-0x0000000007560000-0x00000000075E7000-memory.dmp

Filesize
540KB

Download
memory/1412-361-0x000000000A810000-0x000000000A90A000-memory.dmp

Filesize
1000KB

Download
memory/1412-215-0x0000000002180000-0x000000000265F000-memory.dmp

Filesize
4.9MB

Download
memory/1412-217-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/1412-360-0x000000000A390000-0x000000000A46A000-memory.dmp

Filesize
872KB

Download
memory/1412-218-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1412-357-0x0000000005960000-0x0000000005A18000-memory.dmp

Filesize
736KB

Download
memory/1412-349-0x0000000009F80000-0x000000000A18F000-memory.dmp

Filesize
2.1MB

Download
memory/1412-198-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1412-350-0x0000000002A30000-0x0000000002A7C000-memory.dmp

Filesize
304KB

Download
memory/1412-351-0x0000000005C80000-0x0000000005D29000-memory.dmp

Filesize
676KB

Download
memory/1412-182-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1412-235-0x0000000002C90000-0x0000000002C92000-memory.dmp

Filesize
8KB

Download
memory/1412-347-0x0000000003E70000-0x0000000003F06000-memory.dmp

Filesize
600KB

Download
memory/1412-181-0x0000000002180000-0x000000000265F000-memory.dmp

Filesize
4.9MB

Download
memory/1412-180-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1412-343-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1412-176-0x0000000037130000-0x0000000037140000-memory.dmp

Filesize
64KB

Download
memory/1412-340-0x0000000002180000-0x000000000265F000-memory.dmp

Filesize
4.9MB

Download
memory/1412-172-0x000007FEBD940000-0x000007FEBD950000-memory.dmp

Filesize
64KB

Download
memory/1412-315-0x0000000008AB0000-0x000000000915B000-memory.dmp

Filesize
6.7MB

Download
memory/1412-170-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1412-314-0x00000000055F0000-0x00000000056D3000-memory.dmp

Filesize
908KB

Download
memory/1412-167-0x0000000037130000-0x0000000037140000-memory.dmp

Filesize
64KB

Download
memory/1412-166-0x000007FEBD940000-0x000007FEBD950000-memory.dmp

Filesize
64KB

Download
memory/1412-267-0x00000000021A0000-0x0000000002720000-memory.dmp

Filesize
5.5MB

Download
memory/1412-266-0x00000000021A0000-0x0000000002720000-memory.dmp

Filesize
5.5MB

Download
memory/1412-265-0x00000000021A0000-0x0000000002720000-memory.dmp

Filesize
5.5MB

Download
memory/1412-268-0x00000000021A0000-0x0000000002720000-memory.dmp

Filesize
5.5MB

Download
memory/1412-269-0x00000000021A0000-0x0000000002720000-memory.dmp

Filesize
5.5MB

Download
memory/1412-270-0x00000000021A0000-0x0000000002720000-memory.dmp

Filesize
5.5MB

Download
memory/1412-201-0x0000000000EB0000-0x0000000000ECC000-memory.dmp

Filesize
112KB

Download
memory/1412-276-0x00000000021A0000-0x0000000002720000-memory.dmp

Filesize
5.5MB

Download
memory/1412-144-0x0000000000290000-0x0000000000766000-memory.dmp

Filesize
4.8MB

Download
memory/1412-277-0x00000000021A0000-0x0000000002720000-memory.dmp

Filesize
5.5MB

Download
memory/1412-274-0x00000000021A0000-0x0000000002720000-memory.dmp

Filesize
5.5MB

Download
memory/1412-273-0x00000000021A0000-0x0000000002720000-memory.dmp

Filesize
5.5MB

Download
memory/1412-313-0x0000000007C10000-0x0000000007D35000-memory.dmp

Filesize
1.1MB

Download
memory/1412-308-0x0000000007ED0000-0x00000000082B1000-memory.dmp

Filesize
3.9MB

Download
memory/1520-262-0x0000000000250000-0x0000000000306000-memory.dmp

Filesize
728KB

Download
memory/1520-219-0x000000006F2E0000-0x000000006F2F0000-memory.dmp

Filesize
64KB

Download
memory/1520-220-0x0000000000250000-0x0000000000306000-memory.dmp

Filesize
728KB

Download
memory/1520-221-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1524-71-0x000000013F550000-0x000000013F634000-memory.dmp

Filesize
912KB

Download
memory/1524-54-0x000000013F550000-0x000000013F634000-memory.dmp

Filesize
912KB

Download
memory/1692-84-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1692-95-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1692-85-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1800-124-0x00000000021E0000-0x0000000002763000-memory.dmp

Filesize
5.5MB

Download
memory/1800-103-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1800-174-0x00000000021E0000-0x0000000002763000-memory.dmp

Filesize
5.5MB

Download
memory/1800-109-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1800-102-0x0000000000150000-0x00000000006CE000-memory.dmp

Filesize
5.5MB

Download
memory/1800-107-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1800-106-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2016-190-0x0000000000E60000-0x0000000000E76000-memory.dmp

Filesize
88KB

Download
memory/2016-125-0x00000000027F0000-0x0000000002D37000-memory.dmp

Filesize
5.3MB

Download
memory/2016-113-0x00000000000F0000-0x0000000000632000-memory.dmp

Filesize
5.3MB

Download
memory/2016-305-0x00000000027F0000-0x0000000002D37000-memory.dmp

Filesize
5.3MB

Download
memory/2016-119-0x0000000000BB0000-0x0000000000BB3000-memory.dmp

Filesize
12KB

Download
memory/2016-199-0x0000000000EB0000-0x0000000000ECC000-memory.dmp

Filesize
112KB

Download
memory/2016-306-0x0000000000C40000-0x0000000000D40000-memory.dmp

Filesize
1024KB

Download
memory/2016-307-0x0000000000D50000-0x0000000000D53000-memory.dmp

Filesize
12KB

Download
memory/2016-126-0x0000000000C40000-0x0000000000D40000-memory.dmp

Filesize
1024KB

Download
memory/2016-121-0x0000000000BB0000-0x0000000000BB3000-memory.dmp

Filesize
12KB

Download
memory/2016-297-0x0000000002EB0000-0x0000000002ECC000-memory.dmp

Filesize
112KB

Download