chinese_generic_botnet | bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
10-08-2023 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
Size

833KB
MD5

20c7c9a0d90fee734d3824255bf09e45
SHA1

72ff70ab0dd20cad1d36ae4b1fffb5cdfe4ad73e
SHA256

bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428
SHA512

09f43d460c452980be87136264d9d63613f6fd4d02db68a48ff5d3f8542f45215c4315239d5c6354b59620bfb38be1febdd04ad87f20af9cb9783007844850d3
SSDEEP

24576:OkXRu60c+p0/B3jOjp9AcGpwJaS5mgLclZIOJQ7C8:DXR770sMjbAcOw6gw/9c

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/2340-10537-0x0000000000400000-0x000000000051D000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
840	computer.exe
2476	._cache_computer.exe
1084	Synaptics.exe
2932	._cache_Synaptics.exe
1740	Uyuecug.exe
788	Server_se.exe
2456	Terms.exe
2860	Terms.exe

Loads dropped DLL 10 IoCs

pid	Process
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
840	computer.exe
840	computer.exe
840	computer.exe
840	computer.exe
840	computer.exe
1084	Synaptics.exe
1084	Synaptics.exe
1084	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	computer.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	._cache_computer.exe
File opened (read-only)	\??\E:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\H:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\I:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\B:	._cache_computer.exe
File opened (read-only)	\??\I:	._cache_computer.exe
File opened (read-only)	\??\O:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\Q:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\Y:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\J:	._cache_computer.exe
File opened (read-only)	\??\U:	._cache_computer.exe
File opened (read-only)	\??\W:	._cache_computer.exe
File opened (read-only)	\??\J:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\N:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\X:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\M:	._cache_computer.exe
File opened (read-only)	\??\P:	._cache_computer.exe
File opened (read-only)	\??\X:	._cache_computer.exe
File opened (read-only)	\??\P:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\V:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\E:	._cache_computer.exe
File opened (read-only)	\??\N:	._cache_computer.exe
File opened (read-only)	\??\O:	._cache_computer.exe
File opened (read-only)	\??\T:	._cache_computer.exe
File opened (read-only)	\??\Y:	._cache_computer.exe
File opened (read-only)	\??\Z:	._cache_computer.exe
File opened (read-only)	\??\G:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\R:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\S:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\Z:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\H:	._cache_computer.exe
File opened (read-only)	\??\K:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\L:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\W:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\G:	._cache_computer.exe
File opened (read-only)	\??\U:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\K:	._cache_computer.exe
File opened (read-only)	\??\R:	._cache_computer.exe
File opened (read-only)	\??\S:	._cache_computer.exe
File opened (read-only)	\??\V:	._cache_computer.exe
File opened (read-only)	\??\B:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\M:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\T:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\L:	._cache_computer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Terms.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Terms.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs

pid	Process
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Terms.exe	._cache_computer.exe
File created	C:\Program Files (x86)\Uyuecug.exe	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened for modification	C:\Program Files (x86)\Uyuecug.exe	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File created	C:\Program Files (x86)\Terms.exe	._cache_Synaptics.exe
File opened for modification	C:\Program Files (x86)\Terms.exe	._cache_Synaptics.exe
File created	C:\Program Files (x86)\Terms.exe	._cache_computer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0206800C-9E51-4182-BD3C-8B7EBC1052D0}\WpadDecision = "0"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0206800C-9E51-4182-BD3C-8B7EBC1052D0}\WpadNetworkName = "Network 3"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-56-42-5d-d3-5e\WpadDecision = "0"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0206800C-9E51-4182-BD3C-8B7EBC1052D0}\WpadNetworkName = "Network 3"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0206800C-9E51-4182-BD3C-8B7EBC1052D0}	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0206800C-9E51-4182-BD3C-8B7EBC1052D0}\WpadDecisionReason = "1"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0206800C-9E51-4182-BD3C-8B7EBC1052D0}	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0206800C-9E51-4182-BD3C-8B7EBC1052D0}\WpadDecisionTime = 807362fc24cbd901	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-56-42-5d-d3-5e\WpadDetectedUrl	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-56-42-5d-d3-5e\WpadDecisionTime = 807362fc24cbd901	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0206800C-9E51-4182-BD3C-8B7EBC1052D0}\92-56-42-5d-d3-5e	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-56-42-5d-d3-5e\WpadDecisionTime = 6092e2f524cbd901	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0206800C-9E51-4182-BD3C-8B7EBC1052D0}\WpadDecisionReason = "1"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0206800C-9E51-4182-BD3C-8B7EBC1052D0}\WpadDecisionTime = 6092e2f524cbd901	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-56-42-5d-d3-5e	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-56-42-5d-d3-5e\WpadDecisionReason = "1"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-56-42-5d-d3-5e	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-56-42-5d-d3-5e\WpadDecisionReason = "1"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-56-42-5d-d3-5e\WpadDecision = "0"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0206800C-9E51-4182-BD3C-8B7EBC1052D0}\WpadDecision = "0"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0206800C-9E51-4182-BD3C-8B7EBC1052D0}\92-56-42-5d-d3-5e	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-56-42-5d-d3-5e\WpadDecisionTime = 6092e2f524cbd901	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Terms.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2848	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2476	._cache_computer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2848	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 968	2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	30
PID 2340 wrote to memory of 968	2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	30
PID 2340 wrote to memory of 968	2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	30
PID 2340 wrote to memory of 968	2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	30
PID 2340 wrote to memory of 840	2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	34
PID 2340 wrote to memory of 840	2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	34
PID 2340 wrote to memory of 840	2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	34
PID 2340 wrote to memory of 840	2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	34
PID 840 wrote to memory of 2476	840	computer.exe	35
PID 840 wrote to memory of 2476	840	computer.exe	35
PID 840 wrote to memory of 2476	840	computer.exe	35
PID 840 wrote to memory of 2476	840	computer.exe	35
PID 840 wrote to memory of 1084	840	computer.exe	36
PID 840 wrote to memory of 1084	840	computer.exe	36
PID 840 wrote to memory of 1084	840	computer.exe	36
PID 840 wrote to memory of 1084	840	computer.exe	36
PID 1084 wrote to memory of 2932	1084	Synaptics.exe	37
PID 1084 wrote to memory of 2932	1084	Synaptics.exe	37
PID 1084 wrote to memory of 2932	1084	Synaptics.exe	37
PID 1084 wrote to memory of 2932	1084	Synaptics.exe	37
PID 2340 wrote to memory of 788	2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	42
PID 2340 wrote to memory of 788	2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	42
PID 2340 wrote to memory of 788	2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	42
PID 2340 wrote to memory of 788	2340	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	42
PID 2456 wrote to memory of 2860	2456	Terms.exe	44
PID 2456 wrote to memory of 2860	2456	Terms.exe	44
PID 2456 wrote to memory of 2860	2456	Terms.exe	44
PID 2456 wrote to memory of 2860	2456	Terms.exe	44

C:\Users\Admin\AppData\Local\Temp\bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
"C:\Users\Admin\AppData\Local\Temp\bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c md C:\windowss64
  2⤵
  PID:968
- C:\windowss64\computer.exe
  "C:\windowss64\computer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2476
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2932
- \??\c:\Server_se.exe
  c:\Server_se.exe
  2⤵
  - Executes dropped EXE
  PID:788

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Program Files (x86)\Uyuecug.exe
"C:\Program Files (x86)\Uyuecug.exe"
1⤵
- Executes dropped EXE
PID:1740

C:\Program Files (x86)\Terms.exe
"C:\Program Files (x86)\Terms.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files (x86)\Terms.exe
  "C:\Program Files (x86)\Terms.exe" Win7
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Program Files (x86)\Uyuecug.exe

Filesize
833KB

MD5
20c7c9a0d90fee734d3824255bf09e45

SHA1
72ff70ab0dd20cad1d36ae4b1fffb5cdfe4ad73e

SHA256
bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428

SHA512
09f43d460c452980be87136264d9d63613f6fd4d02db68a48ff5d3f8542f45215c4315239d5c6354b59620bfb38be1febdd04ad87f20af9cb9783007844850d3

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\Server_se.exe

Filesize
862KB

MD5
8f246355b24f2547c03edc128aea377e

SHA1
352b5b12807c8573168838751547ea63f58a9b0a

SHA256
673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6

SHA512
36dfd95982af2892b2b7fd9ffdf44821e9ee22ed5d2f81c4f74815fa4f9d7ccf6e285a6fe52c93c3bbc4d40f5655e824665d828aa02e4d3e45175b2ba4a67792

Download Submit
C:\Server_se.exe

Filesize
862KB

MD5
8f246355b24f2547c03edc128aea377e

SHA1
352b5b12807c8573168838751547ea63f58a9b0a

SHA256
673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6

SHA512
36dfd95982af2892b2b7fd9ffdf44821e9ee22ed5d2f81c4f74815fa4f9d7ccf6e285a6fe52c93c3bbc4d40f5655e824665d828aa02e4d3e45175b2ba4a67792

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9fqadNK.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
memory/788-10457-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/840-8761-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1084-8794-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1084-9956-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1740-8840-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1740-10911-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2340-898-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-896-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-2602-0x0000000001EB0000-0x0000000002031000-memory.dmp

Filesize
1.5MB

Download
memory/2340-8741-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-8746-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2340-8748-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2340-926-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-924-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-920-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-922-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-916-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-918-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-914-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-908-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-912-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-910-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-906-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-900-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-902-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-904-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-54-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2340-2601-0x0000000001D70000-0x0000000001E70000-memory.dmp

Filesize
1024KB

Download
memory/2340-894-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-888-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-890-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-892-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-55-0x00000000759E0000-0x0000000075A27000-memory.dmp

Filesize
284KB

Download
memory/2340-886-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-882-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-884-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-878-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-880-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-865-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-874-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-10455-0x0000000003AE0000-0x0000000003C05000-memory.dmp

Filesize
1.1MB

Download
memory/2340-876-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-870-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-10537-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2340-872-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-866-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2340-868-0x0000000002160000-0x0000000002271000-memory.dmp

Filesize
1.1MB

Download
memory/2848-10103-0x000000007177D000-0x0000000071788000-memory.dmp

Filesize
44KB

Download
memory/2848-8813-0x000000007177D000-0x0000000071788000-memory.dmp

Filesize
44KB

Download