blackmoon | cede6ac238893e42da9d3df998429d991ff02cdcd018f7de4e7b379c3d5fdc6a

Resubmissions

18-03-2024 04:26

240318-e2p72agh5t 10

01-07-2023 07:56

230701-jszsbshc4x 10

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2023 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fwexe.exe
Size

84KB
MD5

bc6da13176887a094ff712a2e2a58ba4
SHA1

e67aff93f62eaf757b3167d86936cb71d653c8cf
SHA256

cede6ac238893e42da9d3df998429d991ff02cdcd018f7de4e7b379c3d5fdc6a
SHA512

555a7898693be4d4c5b265a6ed14656515efafd1f03beeb248e6aafafe3638095d39d5eb60589f74b5ca46a2fd835f182ca54ed0e1ad600c53098b57f57ed016
SSDEEP

1536:qZye8psDhdvoYIflDvf+RBe50UE8Feu6JsuDTpU0WyTwJg:6vdvYlDvWRBeiUDTBwVU0H8O

Score

10^/10

blackmoon banker persistence spyware stealer trojan upx vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3852-133-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral2/memory/3852-134-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral2/memory/3852-137-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral2/memory/3852-141-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon

Downloads MZ/PE file

Drops file in Drivers directory 9 IoCs

Processes:

svchosh.exeAtBroker.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Drivers\JDQ0NnnfqV9.sys	svchosh.exe
File created	C:\Windows\system32\Drivers\KSSWClsJZ.sys	svchosh.exe
File opened for modification	C:\Windows\system32\Drivers\6zfnmF4x.sys	svchosh.exe
File opened for modification	C:\Windows\system32\Drivers\MHCBchS.sys	svchosh.exe
File created	C:\Windows\system32\Drivers\MHCBchS.sys	svchosh.exe
File created	C:\Windows\system32\Drivers\JDQ0NnnfqV9.sys	svchosh.exe
File opened for modification	C:\Windows\system32\Drivers\KSSWClsJZ.sys	svchosh.exe
File created	C:\Windows\system32\Drivers\6zfnmF4x.sys	svchosh.exe
File opened for modification	C:\Windows\system32\drivers\etc\	AtBroker.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchosh.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\6zfnmF4x\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\6zfnmF4x.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MHCBchS\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\MHCBchS.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\6sck83IqC1D\ImagePath = "\\??\\C:\\ProgramData\\Microsoft\\AppV\\6sck83IqC1D.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tFwdXWGa\ImagePath = "\\??\\C:\\ProgramData\\Documents\\tFwdXWGa.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\JDQ0NnnfqV9\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\JDQ0NnnfqV9.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KSSWClsJZ\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\KSSWClsJZ.sys"	svchosh.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

drx.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation drx.exe
Executes dropped EXE 5 IoCs

Processes:

zlib.exesvchosh.exedrx.execontrol.exeAtBroker.exe

pid process

4596 zlib.exe
3324 svchosh.exe
4464 drx.exe
3164 control.exe
1528 AtBroker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation	drx.exe

pid	process
4596	zlib.exe
3324	svchosh.exe
4464	drx.exe
3164	control.exe
1528	AtBroker.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3852-133-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3852-134-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3852-137-0x0000000000400000-0x0000000000454000-memory.dmp	upx
C:\Windows\zlib.exe	upx
behavioral2/memory/3852-141-0x0000000000400000-0x0000000000454000-memory.dmp	upx
C:\Windows\zlib.exe	upx
behavioral2/memory/4596-150-0x0000000000340000-0x000000000048E000-memory.dmp	upx
C:\Windows\Temp\drxm\drx.exe	upx
C:\Windows\Temp\drxm\drx.exe	upx
behavioral2/memory/4464-159-0x00007FF611A00000-0x00007FF611ADB000-memory.dmp	upx
behavioral2/memory/4464-181-0x00007FF611A00000-0x00007FF611ADB000-memory.dmp	upx

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Windows\system32\JzIEGeu.sys	vmprotect
behavioral2/memory/1528-256-0x000001ED0C1A0000-0x000001ED0C81B000-memory.dmp	vmprotect
C:\Windows\system32\a0QosY9.sys	vmprotect
behavioral2/memory/1528-309-0x000001ED0F320000-0x000001ED0F731000-memory.dmp	vmprotect
C:\Windows\system32\A9nVICA.sys	vmprotect
C:\Windows\system32\WVEVqokkc.sys	vmprotect
C:\Windows\System32\UbRfu6.sys	vmprotect
C:\Windows\system32\UbRfu6.sys	vmprotect

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchosh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	svchosh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchosh.exe

Drops file in System32 directory 12 IoCs

Processes:

AtBroker.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	AtBroker.exe
File opened for modification	C:\Windows\system32\JzIEGeu.sys	AtBroker.exe
File created	C:\Windows\system32\a0QosY9.sys	AtBroker.exe
File created	C:\Windows\system32\A9nVICA.sys	AtBroker.exe
File created	C:\Windows\system32\1jzhi5.tmp	AtBroker.exe
File created	C:\Windows\system32\mZWtgn.tmp	AtBroker.exe
File created	C:\Windows\system32\JzIEGeu.sys	AtBroker.exe
File created	C:\Windows\system32\F3ANM3.tmp	AtBroker.exe
File created	C:\Windows\system32\GNmdLHf.tmp	AtBroker.exe
File created	C:\Windows\system32\WVEVqokkc.sys	AtBroker.exe
File created	C:\Windows\system32\v17WsF.tmp	AtBroker.exe
File created	C:\Windows\system32\UbRfu6.sys	AtBroker.exe

Drops file in Windows directory 2 IoCs

Processes:

fwexe.exeAtBroker.exe

description ioc process

File created C:\Windows\zlib.exe fwexe.exe
File opened for modification C:\Windows\win.ini AtBroker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\zlib.exe	fwexe.exe
File opened for modification	C:\Windows\win.ini	AtBroker.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AtBroker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	AtBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	AtBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	AtBroker.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.2345.com?90335-00624	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE

Modifies registry class 3 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

AtBroker.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\53D6C33EE37E0F0A5790DA5675A804F45DF848A8\Blob = 03000000010000001400000053d6c33ee37e0f0a5790da5675a804f45df848a820000000010000001e0200003082021a30820183a003020102020100300d06092a864886f70d01010b05003031310b300906035504061302434e3122302006035504030c195468617774652054696d657374616d70696e67204341205633301e170d3233303730313037353735395a170d3234303633303037353735395a3031310b300906035504061302434e3122302006035504030c195468617774652054696d657374616d70696e6720434120563330819f300d06092a864886f70d010101050003818d0030818902818100d3af3fe8293d3492cee6090126421c4fcf8707b7dc1cc004e5b7fe6b31c7f42e3b828fec0ad29087b78f484223e99b0c6aebbe2d8d30198b55e448a0c66df8546cff871af7c5c7aa53fe079a6ba78a442f51eb506ecac80f8175a8d8a0e1531caae5115d38d03ba9b1ab1aae061d7aeccc2a527216fb403fb2867a3745b7b4f30203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e0416041495f75ec680f6b5ac13617c23103c2822780425a6300d06092a864886f70d01010b0500038181000f154dfb10939665918824ae8004bb45a6ba91058fe53f9456246ded42994586360f7f732688bf09ddd3d57e6a32a568a1b1092125606d2e99bd5d2522df1e727de61a82d1d52b8f9015ee0c3eb7285c1cf63485751e9f8a9fb442b3968fa53117f71b2efff394ac2af33d4bff3967dcf186809ca47ff714b0e635c42bab7888	AtBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\53D6C33EE37E0F0A5790DA5675A804F45DF848A8	AtBroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4940 PING.EXE

pid	process
4940	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchosh.exedrx.exesdclt.execontrol.exesvchost.exeAtBroker.exe

pid	process
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
4464	drx.exe
4464	drx.exe
3676	sdclt.exe
3676	sdclt.exe
3676	sdclt.exe
3676	sdclt.exe
3676	sdclt.exe
3676	sdclt.exe
3164	control.exe
3164	control.exe
3164	control.exe
3164	control.exe
1140	svchost.exe
1140	svchost.exe
3164	control.exe
3164	control.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe
1528	AtBroker.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Explorer.EXEAtBroker.exe

pid process

3276 Explorer.EXE
1528 AtBroker.exe

pid	process
3276	Explorer.EXE
1528	AtBroker.exe

Suspicious behavior: LoadsDriver 22 IoCs

Processes:

svchosh.exe

pid	process
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
660
660
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
3324	svchosh.exe
660
660
660
660
660
660
660
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchosh.exedrx.exesdclt.execontrol.exe

description	pid	process
Token: SeDebugPrivilege	3324	svchosh.exe
Token: SeDebugPrivilege	3324	svchosh.exe
Token: SeDebugPrivilege	3324	svchosh.exe
Token: SeLoadDriverPrivilege	3324	svchosh.exe
Token: SeDebugPrivilege	3324	svchosh.exe
Token: SeLoadDriverPrivilege	3324	svchosh.exe
Token: SeDebugPrivilege	3324	svchosh.exe
Token: SeDebugPrivilege	4464	drx.exe
Token: SeTcbPrivilege	4464	drx.exe
Token: SeLoadDriverPrivilege	3324	svchosh.exe
Token: SeDebugPrivilege	3324	svchosh.exe
Token: SeDebugPrivilege	4464	drx.exe
Token: SeIncBasePriorityPrivilege	4464	drx.exe
Token: SeDebugPrivilege	3676	sdclt.exe
Token: SeTcbPrivilege	3676	sdclt.exe
Token: SeCreateTokenPrivilege	3676	sdclt.exe
Token: SeAssignPrimaryTokenPrivilege	3676	sdclt.exe
Token: SeLockMemoryPrivilege	3676	sdclt.exe
Token: SeIncreaseQuotaPrivilege	3676	sdclt.exe
Token: SeMachineAccountPrivilege	3676	sdclt.exe
Token: SeTcbPrivilege	3676	sdclt.exe
Token: SeSecurityPrivilege	3676	sdclt.exe
Token: SeTakeOwnershipPrivilege	3676	sdclt.exe
Token: SeLoadDriverPrivilege	3676	sdclt.exe
Token: SeSystemProfilePrivilege	3676	sdclt.exe
Token: SeSystemtimePrivilege	3676	sdclt.exe
Token: SeProfSingleProcessPrivilege	3676	sdclt.exe
Token: SeIncBasePriorityPrivilege	3676	sdclt.exe
Token: SeCreatePagefilePrivilege	3676	sdclt.exe
Token: SeCreatePermanentPrivilege	3676	sdclt.exe
Token: SeBackupPrivilege	3676	sdclt.exe
Token: SeRestorePrivilege	3676	sdclt.exe
Token: SeShutdownPrivilege	3676	sdclt.exe
Token: SeDebugPrivilege	3676	sdclt.exe
Token: SeAuditPrivilege	3676	sdclt.exe
Token: SeSystemEnvironmentPrivilege	3676	sdclt.exe
Token: SeChangeNotifyPrivilege	3676	sdclt.exe
Token: SeRemoteShutdownPrivilege	3676	sdclt.exe
Token: SeUndockPrivilege	3676	sdclt.exe
Token: SeSyncAgentPrivilege	3676	sdclt.exe
Token: SeEnableDelegationPrivilege	3676	sdclt.exe
Token: SeManageVolumePrivilege	3676	sdclt.exe
Token: SeImpersonatePrivilege	3676	sdclt.exe
Token: SeCreateGlobalPrivilege	3676	sdclt.exe
Token: 31	3676	sdclt.exe
Token: 32	3676	sdclt.exe
Token: 33	3676	sdclt.exe
Token: 34	3676	sdclt.exe
Token: 35	3676	sdclt.exe
Token: SeDebugPrivilege	3676	sdclt.exe
Token: SeDebugPrivilege	3164	control.exe
Token: SeTcbPrivilege	3164	control.exe
Token: SeCreateTokenPrivilege	3164	control.exe
Token: SeAssignPrimaryTokenPrivilege	3164	control.exe
Token: SeLockMemoryPrivilege	3164	control.exe
Token: SeIncreaseQuotaPrivilege	3164	control.exe
Token: SeMachineAccountPrivilege	3164	control.exe
Token: SeTcbPrivilege	3164	control.exe
Token: SeSecurityPrivilege	3164	control.exe
Token: SeTakeOwnershipPrivilege	3164	control.exe
Token: SeLoadDriverPrivilege	3164	control.exe
Token: SeSystemProfilePrivilege	3164	control.exe
Token: SeSystemtimePrivilege	3164	control.exe
Token: SeProfSingleProcessPrivilege	3164	control.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3276 Explorer.EXE
3276 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

fwexe.exe

pid process

3852 fwexe.exe

pid	process
3276	Explorer.EXE
3276	Explorer.EXE

pid	process
3852	fwexe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fwexe.exezlib.execmd.exedrx.exesdclt.execontrol.exeAtBroker.exe

description	pid	process	target process
PID 3852 wrote to memory of 4596	3852	fwexe.exe	zlib.exe
PID 3852 wrote to memory of 4596	3852	fwexe.exe	zlib.exe
PID 3852 wrote to memory of 4596	3852	fwexe.exe	zlib.exe
PID 4596 wrote to memory of 4284	4596	zlib.exe	cmd.exe
PID 4596 wrote to memory of 4284	4596	zlib.exe	cmd.exe
PID 4596 wrote to memory of 4284	4596	zlib.exe	cmd.exe
PID 4284 wrote to memory of 3324	4284	cmd.exe	svchosh.exe
PID 4284 wrote to memory of 3324	4284	cmd.exe	svchosh.exe
PID 4284 wrote to memory of 4940	4284	cmd.exe	PING.EXE
PID 4284 wrote to memory of 4940	4284	cmd.exe	PING.EXE
PID 4284 wrote to memory of 4940	4284	cmd.exe	PING.EXE
PID 4284 wrote to memory of 4464	4284	cmd.exe	drx.exe
PID 4284 wrote to memory of 4464	4284	cmd.exe	drx.exe
PID 4464 wrote to memory of 3676	4464	drx.exe	sdclt.exe
PID 4464 wrote to memory of 3676	4464	drx.exe	sdclt.exe
PID 4464 wrote to memory of 3676	4464	drx.exe	sdclt.exe
PID 4464 wrote to memory of 3676	4464	drx.exe	sdclt.exe
PID 4464 wrote to memory of 3676	4464	drx.exe	sdclt.exe
PID 4464 wrote to memory of 3676	4464	drx.exe	sdclt.exe
PID 4464 wrote to memory of 3676	4464	drx.exe	sdclt.exe
PID 4464 wrote to memory of 1216	4464	drx.exe	cmd.exe
PID 4464 wrote to memory of 1216	4464	drx.exe	cmd.exe
PID 3676 wrote to memory of 3164	3676	sdclt.exe	control.exe
PID 3676 wrote to memory of 3164	3676	sdclt.exe	control.exe
PID 3676 wrote to memory of 3164	3676	sdclt.exe	control.exe
PID 3676 wrote to memory of 3164	3676	sdclt.exe	control.exe
PID 3676 wrote to memory of 3164	3676	sdclt.exe	control.exe
PID 3676 wrote to memory of 3164	3676	sdclt.exe	control.exe
PID 3676 wrote to memory of 3164	3676	sdclt.exe	control.exe
PID 3676 wrote to memory of 3164	3676	sdclt.exe	control.exe
PID 3164 wrote to memory of 1140	3164	control.exe	svchost.exe
PID 3164 wrote to memory of 1140	3164	control.exe	svchost.exe
PID 3164 wrote to memory of 1140	3164	control.exe	svchost.exe
PID 3164 wrote to memory of 1140	3164	control.exe	svchost.exe
PID 3164 wrote to memory of 1140	3164	control.exe	svchost.exe
PID 3164 wrote to memory of 1140	3164	control.exe	svchost.exe
PID 3164 wrote to memory of 1528	3164	control.exe	AtBroker.exe
PID 3164 wrote to memory of 1528	3164	control.exe	AtBroker.exe
PID 3164 wrote to memory of 1140	3164	control.exe	svchost.exe
PID 3164 wrote to memory of 1528	3164	control.exe	AtBroker.exe
PID 3164 wrote to memory of 1528	3164	control.exe	AtBroker.exe
PID 3164 wrote to memory of 1528	3164	control.exe	AtBroker.exe
PID 3164 wrote to memory of 1528	3164	control.exe	AtBroker.exe
PID 3164 wrote to memory of 1528	3164	control.exe	AtBroker.exe
PID 1528 wrote to memory of 3164	1528	AtBroker.exe	control.exe
PID 1528 wrote to memory of 3164	1528	AtBroker.exe	control.exe
PID 1528 wrote to memory of 3164	1528	AtBroker.exe	control.exe
PID 1528 wrote to memory of 3164	1528	AtBroker.exe	control.exe
PID 1528 wrote to memory of 3164	1528	AtBroker.exe	control.exe
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE
PID 1528 wrote to memory of 3276	1528	AtBroker.exe	Explorer.EXE

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1140

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3276
- C:\Users\Admin\AppData\Local\Temp\fwexe.exe
  "C:\Users\Admin\AppData\Local\Temp\fwexe.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Windows\zlib.exe
    C:\Windows\\zlib.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\temp\drxm\xm.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\Temp\drxm\svchosh.exe
        
        C:\Windows\Temp\drxm\\svchosh.exe
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:4940
    - - C:\Windows\Temp\drxm\drx.exe
        
        C:\Windows\Temp\drxm\\drx.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Windows\system32\sdclt.exe
        
        "C:\Windows\system32\sdclt.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\control.exe
        
        C:\Users\Admin\AppData\Local\Temp\\control.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\631i1q78\AtBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\631i1q78\AtBroker.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Windows\Temp\drxm\drx.exe"
        6⤵
        
        PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
8a7255a92da98d0b0a1f1929fbdf723e

SHA1
5342b95e6623819b9b696379dcef3a81841bc2ab

SHA256
dc61200a2b5955d9ea007bee49eb4bdae46994d2efeb2ebd8cd74024440b108a

SHA512
da12a723da4e2dd961024e0761cba90f4e54ce0cd1db6cc4a0e442e54a35904a5b2f49bb5d70ccacf213b73c48024a630a0df368e94e6709f77cff2290e09729

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
1KB

MD5
85d25bfd8a7502d93d9f8bba0847f7c8

SHA1
0d9a8222170b14a4576c9dae63fd47adb42c619a

SHA256
c5909cedd22fc1c1049b2a644aedf5ddd89a9d8930c11b9772ffe6016724bdcb

SHA512
36ef849a3449663e6f0521889fa1f3789c0dbd41ec19aa530f333c35195b45ddae29262d8bbcbd019e227d990c5ed6a271c63066e42f7421f606709a4850273a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
9dbe6b32f84ab76f5171eed664942e40

SHA1
f4cdfc0b386e4c07e748abeac08c50c39ae78382

SHA256
7f41ad26d427ae4e99019d5c0ecaf2d6b6ebfcc6d06f24a302da31990a653f51

SHA512
f139a1ea7caabca12c18771758ffcfc72e5fe17c36e882f46b2a979034c3b8a6a012fcc94f2ef07285494d70ac287637fcf3e13f2ed08f467f4c0d43a3a756a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
611be4ac1d53476965e634f72084fe52

SHA1
19456cbd32d6ae6c52d3fc233b79bd6d51c66c27

SHA256
ba37f9d513df0b57ceb0ed3a3029231da802c4b7f9afbea914ec0bad9ea1e9ab

SHA512
8856afa609f73fc9d37911054dd2bff2f4339b15b835e54b04dca04d7f59e139f3463bcc45f5661c1924ea4b2b3e3a84f76d12d54f9a964683dc0f5982af7915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
532B

MD5
e5bf75d2aa23dfe50abf974f35c02a1e

SHA1
5b9cd34bb1e77989c12bbfffded27a2532a7056a

SHA256
b51b00b6e4a684b134ade75d004b882342a9571d7fd91f4b0171531afe14bb9f

SHA512
cf58cb9b050d1c8387c5065aacf667d55751980bb566c2513c2fa551724decb216d3cc79649ba8eb4b102608cbda11779bd9537c7ed32dd1cc59171b2bfda417

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
8a093bdb33c30473a1fcc67eaadcc7cf

SHA1
b87c31c4c20fc3719e03d9a30755681e693737d9

SHA256
3fbaa35d8db32c94be0be3fe0a95b840f195d149e8b0b4f27e0345d3b8da9a9c

SHA512
d6ef5777cbb2ccb32fe7b41fc44045f24fd53e1326199120667620b4de2ce560c3e7a31acc475e00861912718bc6c7c04dd9dbc3a6065cf7bc9ed11fc0d09264

Download Submit
C:\Users\Admin\AppData\Local\Temp\631i1q78\AtBroker.exe

Filesize
90KB

MD5
30076e434a015bdf4c136e09351882cc

SHA1
584c958a35e23083a0861421357405afd26d9a0c

SHA256
ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

SHA512
675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

Download Submit
C:\Users\Admin\AppData\Local\Temp\control.exe

Filesize
14KB

MD5
0b4340ed812dc82ce636c00fa5c9bef2

SHA1
51c97ebe601ef079b16bcd87af827b0be5283d96

SHA256
dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

SHA512
d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

Download Submit
C:\Users\Admin\AppData\Local\Temp\control.exe

Filesize
14KB

MD5
0b4340ed812dc82ce636c00fa5c9bef2

SHA1
51c97ebe601ef079b16bcd87af827b0be5283d96

SHA256
dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

SHA512
d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

Download Submit
C:\Users\Admin\AppData\Local\Temp\picA614.tmp

Filesize
26KB

MD5
0adf95856e4023c04e8c9b0b378ac9a9

SHA1
788079c2fb312a7cbfa8a227f37baed8bf127212

SHA256
ecab43f3ffe085832a148f8e51f4dbd431ab6d7503645eeb20f7966ae18bbaaf

SHA512
0bbcec5b04ab97c597c599a5b5938fa3ea2ea7a360645a405acc67f640a42609114215db7facc2a8e4b31340dd20a5cbd61ca4f71ce31a31af002942b74d41b2

Download Submit
C:\Windows\System32\1jzhi5.tmp

Filesize
9KB

MD5
3a91a82b0911a6905d13a7ad10f4f1b6

SHA1
de1184c978f1cf1177e0966ee245d5a07a21ea93

SHA256
da560330512e8b6724f6b3a68000ac0590ff7a3aa62475029702d9759782c561

SHA512
b3f965950bcf82e04b2f5248246ca5d7dc2b9bece6251ac5f7756b5c0fc7829bfeab31720a45c091a760c4a4fc0a963e33467e0c3b251444cad7e7c8df137a74

Download Submit
C:\Windows\System32\UbRfu6.sys

Filesize
887KB

MD5
bf6a2ed5922f4f6d2553b6c96ee79c28

SHA1
9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

SHA256
693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

SHA512
46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

Download Submit
C:\Windows\System32\UbRfu6.sys

Filesize
1.5MB

MD5
f4fdee6f598ff906de93ad1e280b47a4

SHA1
08fc2a8850ddf94af5d83d03e6caf192d392ccea

SHA256
45ab5459806544a9c567e49094d2bf6280081b8bddd96c0f9ef766a57f0fc33e

SHA512
cf79ce0a2eb05dd537017072907eb6d61783abb1616522ea8a7744f10e745e6640be90f6d2762c6602365c433a2e98c9c1091b584b5fa38cc22f9d5b179459a0

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
146KB

MD5
a45d48c8c8a3729641c4064cc71924d6

SHA1
886ad0750a126798005b368c366b4764b8c79cb6

SHA256
2637b1f3e6ee2e9741a1f357780dd37bcf9a5b74e27aaf87643a4874303c7372

SHA512
648c0c5e940069b939e647a80276116160939c8e3f482e492382f2060759591bf73286c5265bef571efc40d61df59fb69ba0ad051ccd8e71024f393d4efeeb0b

Download Submit
C:\Windows\Temp\drxm\drx.exe

Filesize
222KB

MD5
fda6409e19a40a1b6dc73568199331f7

SHA1
a61f7250bd1f776c3dc63eaf12770690a399f25d

SHA256
b4937c04c982c68bacaeb575765d01aa5cdcacc8d42bfd7d62a51e19a1b4e0e5

SHA512
e33c360527cd6af875b60bce8ad95ded315a310975c62e122895b8957c3ebbd16ed984a8834e7c83bf690a0f92bdec773fb9c7ddb3a56ff10705c5520b0e0e84

Download Submit
C:\Windows\Temp\drxm\drx.exe

Filesize
222KB

MD5
fda6409e19a40a1b6dc73568199331f7

SHA1
a61f7250bd1f776c3dc63eaf12770690a399f25d

SHA256
b4937c04c982c68bacaeb575765d01aa5cdcacc8d42bfd7d62a51e19a1b4e0e5

SHA512
e33c360527cd6af875b60bce8ad95ded315a310975c62e122895b8957c3ebbd16ed984a8834e7c83bf690a0f92bdec773fb9c7ddb3a56ff10705c5520b0e0e84

Download Submit
C:\Windows\Temp\drxm\svchosh.exe

Filesize
766KB

MD5
a6dc95dbe25ef89c40c6943ab64d8b2d

SHA1
0d01f835a589191b6c28d264ee34a318df63012f

SHA256
8515560816e2e3caac0653012822b3fcc452568ce5544b97d19dbaccb03a03c5

SHA512
e8af6f224ad5deb8adcb63dc5f1feda67575f8c42da5969da335f536010c91879b3da9f128e6f949109ad848bd2eb9e962a51bc1a4e7b777a03d9f6f915954f9

Download Submit
C:\Windows\Temp\drxm\svchosh.exe

Filesize
766KB

MD5
a6dc95dbe25ef89c40c6943ab64d8b2d

SHA1
0d01f835a589191b6c28d264ee34a318df63012f

SHA256
8515560816e2e3caac0653012822b3fcc452568ce5544b97d19dbaccb03a03c5

SHA512
e8af6f224ad5deb8adcb63dc5f1feda67575f8c42da5969da335f536010c91879b3da9f128e6f949109ad848bd2eb9e962a51bc1a4e7b777a03d9f6f915954f9

Download Submit
C:\Windows\system32\A9nVICA.sys

Filesize
887KB

MD5
bf6a2ed5922f4f6d2553b6c96ee79c28

SHA1
9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

SHA256
693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

SHA512
46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

Download Submit
C:\Windows\system32\JzIEGeu.sys

Filesize
887KB

MD5
bf6a2ed5922f4f6d2553b6c96ee79c28

SHA1
9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

SHA256
693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

SHA512
46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

Download Submit
C:\Windows\system32\UbRfu6.sys

Filesize
887KB

MD5
bf6a2ed5922f4f6d2553b6c96ee79c28

SHA1
9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

SHA256
693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

SHA512
46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

Download Submit
C:\Windows\system32\WVEVqokkc.sys

Filesize
887KB

MD5
bf6a2ed5922f4f6d2553b6c96ee79c28

SHA1
9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

SHA256
693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

SHA512
46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

Download Submit
C:\Windows\system32\a0QosY9.sys

Filesize
887KB

MD5
bf6a2ed5922f4f6d2553b6c96ee79c28

SHA1
9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

SHA256
693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

SHA512
46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

Download Submit
C:\Windows\temp\drxm\xm.bat

Filesize
203B

MD5
7ad87393edbfa2718bb172d84eb7ffc8

SHA1
59e87ca229b3fa0a4d023571d9b23e7652fe91a9

SHA256
638a70fc5c280af5821d6cc6a03877229a6458ed56df156c91fd0ec8f1a5965c

SHA512
ebed640fcf594e26fb175079160ee47c9dffb864f23903b588ee5d12910f3d35204ccd991ef46695a1a8da1531386d317256295eaeb2fe32fe5d86f843acbde6

Download Submit
C:\Windows\zlib.exe

Filesize
1.1MB

MD5
2156499ed40b54d8602275a06fa527b9

SHA1
88bfaffeaf61e7c5dd2c5f9f60307adedbb6566f

SHA256
6933b2cb03952e5894ae9fcda474d628fd58b982167c6e70f1af468299c71223

SHA512
dc15fd515e411512072ceb033e9819865dc60908965a70b30ef435011f70e5c33e9485bc31e01bc30dd96cc8761d5eca6ae4de076d1b0f7ed8e328550c1ffae3

Download Submit
C:\Windows\zlib.exe

Filesize
1.1MB

MD5
2156499ed40b54d8602275a06fa527b9

SHA1
88bfaffeaf61e7c5dd2c5f9f60307adedbb6566f

SHA256
6933b2cb03952e5894ae9fcda474d628fd58b982167c6e70f1af468299c71223

SHA512
dc15fd515e411512072ceb033e9819865dc60908965a70b30ef435011f70e5c33e9485bc31e01bc30dd96cc8761d5eca6ae4de076d1b0f7ed8e328550c1ffae3

Download Submit
memory/1140-194-0x00000204FCD00000-0x00000204FD0BF000-memory.dmp

Filesize
3.7MB

Download
memory/1528-269-0x000001ED0CA80000-0x000001ED0CB2F000-memory.dmp

Filesize
700KB

Download
memory/1528-309-0x000001ED0F320000-0x000001ED0F731000-memory.dmp

Filesize
4.1MB

Download
memory/1528-209-0x000001ED08760000-0x000001ED0877A000-memory.dmp

Filesize
104KB

Download
memory/1528-210-0x000001ED08760000-0x000001ED0877A000-memory.dmp

Filesize
104KB

Download
memory/1528-211-0x000001ED08780000-0x000001ED08781000-memory.dmp

Filesize
4KB

Download
memory/1528-459-0x000001ED0FE40000-0x000001ED0FEF6000-memory.dmp

Filesize
728KB

Download
memory/1528-458-0x000001ED0FE40000-0x000001ED0FEF6000-memory.dmp

Filesize
728KB

Download
memory/1528-221-0x0000019473D30000-0x0000019473D4C000-memory.dmp

Filesize
112KB

Download
memory/1528-225-0x0000019473D30000-0x0000019473D4C000-memory.dmp

Filesize
112KB

Download
memory/1528-455-0x000001ED0FE40000-0x000001ED0FEF6000-memory.dmp

Filesize
728KB

Download
memory/1528-203-0x00007FFD990F0000-0x00007FFD99100000-memory.dmp

Filesize
64KB

Download
memory/1528-202-0x00007FFD990F0000-0x00007FFD99100000-memory.dmp

Filesize
64KB

Download
memory/1528-200-0x00007FFD990F0000-0x00007FFD99100000-memory.dmp

Filesize
64KB

Download
memory/1528-454-0x000001ED0FE40000-0x000001ED0FEF6000-memory.dmp

Filesize
728KB

Download
memory/1528-452-0x000001ED0CD90000-0x000001ED0CF9F000-memory.dmp

Filesize
2.1MB

Download
memory/1528-451-0x000001ED0CD90000-0x000001ED0CF9F000-memory.dmp

Filesize
2.1MB

Download
memory/1528-235-0x000001ED0A190000-0x000001ED0A4EB000-memory.dmp

Filesize
3.4MB

Download
memory/1528-450-0x000001ED0FE40000-0x000001ED0FEF6000-memory.dmp

Filesize
728KB

Download
memory/1528-239-0x0000000002700000-0x0000000002703000-memory.dmp

Filesize
12KB

Download
memory/1528-240-0x000001ED0A0E0000-0x000001ED0A0E1000-memory.dmp

Filesize
4KB

Download
memory/1528-449-0x000001ED0FE40000-0x000001ED0FEF6000-memory.dmp

Filesize
728KB

Download
memory/1528-439-0x000001ED0CD90000-0x000001ED0CF9F000-memory.dmp

Filesize
2.1MB

Download
memory/1528-243-0x000001ED0A190000-0x000001ED0A4EB000-memory.dmp

Filesize
3.4MB

Download
memory/1528-245-0x000001ED08760000-0x000001ED0877A000-memory.dmp

Filesize
104KB

Download
memory/1528-244-0x000001ED08760000-0x000001ED0877A000-memory.dmp

Filesize
104KB

Download
memory/1528-246-0x000001ED08760000-0x000001ED0877A000-memory.dmp

Filesize
104KB

Download
memory/1528-248-0x0000019473D30000-0x0000019473D4C000-memory.dmp

Filesize
112KB

Download
memory/1528-249-0x000001ED0B330000-0x000001ED0B3F6000-memory.dmp

Filesize
792KB

Download
memory/1528-256-0x000001ED0C1A0000-0x000001ED0C81B000-memory.dmp

Filesize
6.5MB

Download
memory/1528-262-0x0000019473D30000-0x0000019473D4C000-memory.dmp

Filesize
112KB

Download
memory/1528-261-0x0000019473D30000-0x0000019473D4C000-memory.dmp

Filesize
112KB

Download
memory/1528-263-0x000001ED0BF50000-0x000001ED0C045000-memory.dmp

Filesize
980KB

Download
memory/1528-264-0x000001ED0CD90000-0x000001ED0CF9F000-memory.dmp

Filesize
2.1MB

Download
memory/1528-265-0x000001ED0B950000-0x000001ED0B9F9000-memory.dmp

Filesize
676KB

Download
memory/1528-266-0x000001ED0D2D0000-0x000001ED0D3F6000-memory.dmp

Filesize
1.1MB

Download
memory/1528-438-0x000001ED0CD90000-0x000001ED0CF9F000-memory.dmp

Filesize
2.1MB

Download
memory/1528-270-0x000001ED0CD90000-0x000001ED0CF9F000-memory.dmp

Filesize
2.1MB

Download
memory/1528-271-0x000001ED0CD90000-0x000001ED0CF9F000-memory.dmp

Filesize
2.1MB

Download
memory/1528-273-0x000001ED0CD90000-0x000001ED0CF9F000-memory.dmp

Filesize
2.1MB

Download
memory/1528-437-0x000001ED0FE40000-0x000001ED0FEF6000-memory.dmp

Filesize
728KB

Download
memory/1528-281-0x000001ED0CA80000-0x000001ED0CB2F000-memory.dmp

Filesize
700KB

Download
memory/1528-283-0x000001ED0CB70000-0x000001ED0CC20000-memory.dmp

Filesize
704KB

Download
memory/1528-284-0x000001ED0E450000-0x000001ED0E783000-memory.dmp

Filesize
3.2MB

Download
memory/1528-285-0x000001ED0D590000-0x000001ED0D5DE000-memory.dmp

Filesize
312KB

Download
memory/1528-286-0x000001ED0DF40000-0x000001ED0DFF4000-memory.dmp

Filesize
720KB

Download
memory/1528-436-0x000001ED0FE40000-0x000001ED0FEF6000-memory.dmp

Filesize
728KB

Download
memory/1528-370-0x000001ED0CD90000-0x000001ED0CF9F000-memory.dmp

Filesize
2.1MB

Download
memory/1528-367-0x000001ED0CD90000-0x000001ED0CF9F000-memory.dmp

Filesize
2.1MB

Download
memory/1528-364-0x000001ED0A0E0000-0x000001ED0A0E1000-memory.dmp

Filesize
4KB

Download
memory/1528-308-0x000001ED0EE30000-0x000001ED0EFB1000-memory.dmp

Filesize
1.5MB

Download
memory/1528-208-0x000001ED0A190000-0x000001ED0A4EB000-memory.dmp

Filesize
3.4MB

Download
memory/1528-314-0x000001ED0E000000-0x000001ED0E069000-memory.dmp

Filesize
420KB

Download
memory/1528-363-0x000001ED0FE40000-0x000001ED0FEF6000-memory.dmp

Filesize
728KB

Download
memory/1528-318-0x000001ED0E210000-0x000001ED0E261000-memory.dmp

Filesize
324KB

Download
memory/1528-362-0x000001ED0FE40000-0x000001ED0FEF6000-memory.dmp

Filesize
728KB

Download
memory/1528-321-0x000001ED0E890000-0x000001ED0E91F000-memory.dmp

Filesize
572KB

Download
memory/1528-322-0x000001ED0FC10000-0x000001ED0FE40000-memory.dmp

Filesize
2.2MB

Download
memory/1528-354-0x000001ED10B10000-0x000001ED10BE2000-memory.dmp

Filesize
840KB

Download
memory/1528-351-0x000001ED10120000-0x000001ED101A7000-memory.dmp

Filesize
540KB

Download
memory/1528-323-0x000001ED0F230000-0x000001ED0F2BC000-memory.dmp

Filesize
560KB

Download
memory/1528-328-0x000001ED10220000-0x000001ED102C0000-memory.dmp

Filesize
640KB

Download
memory/1528-347-0x000001ED105E0000-0x000001ED106BA000-memory.dmp

Filesize
872KB

Download
memory/1528-337-0x000001ED0E450000-0x000001ED0E783000-memory.dmp

Filesize
3.2MB

Download
memory/1528-338-0x0000000002700000-0x0000000002703000-memory.dmp

Filesize
12KB

Download
memory/1528-339-0x000001ED0FF20000-0x000001ED1001A000-memory.dmp

Filesize
1000KB

Download
memory/1528-343-0x000001ED0FE40000-0x000001ED0FEF6000-memory.dmp

Filesize
728KB

Download
memory/3164-184-0x00000194719D0000-0x00000194719D3000-memory.dmp

Filesize
12KB

Download
memory/3164-220-0x0000019473D30000-0x0000019473D4C000-memory.dmp

Filesize
112KB

Download
memory/3164-193-0x0000019471B30000-0x0000019471B4A000-memory.dmp

Filesize
104KB

Download
memory/3164-192-0x0000019471D90000-0x000001947214F000-memory.dmp

Filesize
3.7MB

Download
memory/3164-186-0x00000194719D0000-0x00000194719D3000-memory.dmp

Filesize
12KB

Download
memory/3164-241-0x0000019471D90000-0x000001947214F000-memory.dmp

Filesize
3.7MB

Download
memory/3164-242-0x0000019471B30000-0x0000019471B4A000-memory.dmp

Filesize
104KB

Download
memory/3164-317-0x0000019473DC0000-0x0000019473DDC000-memory.dmp

Filesize
112KB

Download
memory/3276-277-0x0000000002710000-0x0000000002766000-memory.dmp

Filesize
344KB

Download
memory/3276-319-0x0000000006BA0000-0x0000000006BA3000-memory.dmp

Filesize
12KB

Download
memory/3276-356-0x00000000090D0000-0x0000000009127000-memory.dmp

Filesize
348KB

Download
memory/3276-357-0x000000000D770000-0x000000000D931000-memory.dmp

Filesize
1.8MB

Download
memory/3276-326-0x0000000007570000-0x000000000757D000-memory.dmp

Filesize
52KB

Download
memory/3276-344-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/3276-227-0x0000000002710000-0x0000000002766000-memory.dmp

Filesize
344KB

Download
memory/3276-287-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/3276-331-0x0000000008640000-0x000000000868F000-memory.dmp

Filesize
316KB

Download
memory/3276-307-0x00000000087B0000-0x0000000008831000-memory.dmp

Filesize
516KB

Download
memory/3276-325-0x000000000C1B0000-0x000000000C2FD000-memory.dmp

Filesize
1.3MB

Download
memory/3276-303-0x0000000008420000-0x0000000008537000-memory.dmp

Filesize
1.1MB

Download
memory/3676-191-0x0000015BD05D0000-0x0000015BD09CC000-memory.dmp

Filesize
4.0MB

Download
memory/3676-178-0x0000015BCE730000-0x0000015BCE733000-memory.dmp

Filesize
12KB

Download
memory/3676-179-0x0000015BCE730000-0x0000015BCE733000-memory.dmp

Filesize
12KB

Download
memory/3676-207-0x0000015BD05D0000-0x0000015BD09CC000-memory.dmp

Filesize
4.0MB

Download
memory/3852-141-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3852-134-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3852-133-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3852-137-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4464-159-0x00007FF611A00000-0x00007FF611ADB000-memory.dmp

Filesize
876KB

Download
memory/4464-164-0x00007FFD59120000-0x00007FFD59121000-memory.dmp

Filesize
4KB

Download
memory/4464-181-0x00007FF611A00000-0x00007FF611ADB000-memory.dmp

Filesize
876KB

Download
memory/4596-150-0x0000000000340000-0x000000000048E000-memory.dmp

Filesize
1.3MB

Download