chinese_generic_botnet | 673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
10-08-2023 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
Size

862KB
MD5

8f246355b24f2547c03edc128aea377e
SHA1

352b5b12807c8573168838751547ea63f58a9b0a
SHA256

673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6
SHA512

36dfd95982af2892b2b7fd9ffdf44821e9ee22ed5d2f81c4f74815fa4f9d7ccf6e285a6fe52c93c3bbc4d40f5655e824665d828aa02e4d3e45175b2ba4a67792
SSDEEP

24576:fBRYHenxLamX32AK07IDOlGrF+1CJzwRM4z3:fBRFVai32i7IaeF+AwRTb

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/3048-8890-0x0000000000400000-0x0000000000525000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
1684	computer.exe
600	._cache_computer.exe
1812	Synaptics.exe
1068	._cache_Synaptics.exe
2716	Terms.exe
1096	Aooqmyy.exe
1324	Terms.exe
1312	Terms.exe

Loads dropped DLL 10 IoCs

pid	Process
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
1684	computer.exe
1684	computer.exe
1684	computer.exe
1684	computer.exe
1684	computer.exe
1812	Synaptics.exe
1812	Synaptics.exe
1812	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	computer.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	._cache_Synaptics.exe
File opened (read-only)	\??\V:	._cache_Synaptics.exe
File opened (read-only)	\??\V:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\B:	._cache_Synaptics.exe
File opened (read-only)	\??\J:	._cache_Synaptics.exe
File opened (read-only)	\??\M:	._cache_Synaptics.exe
File opened (read-only)	\??\Q:	._cache_Synaptics.exe
File opened (read-only)	\??\U:	._cache_Synaptics.exe
File opened (read-only)	\??\Z:	._cache_Synaptics.exe
File opened (read-only)	\??\B:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\G:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\G:	._cache_Synaptics.exe
File opened (read-only)	\??\L:	._cache_Synaptics.exe
File opened (read-only)	\??\Q:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\J:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\E:	._cache_Synaptics.exe
File opened (read-only)	\??\X:	._cache_Synaptics.exe
File opened (read-only)	\??\Y:	._cache_Synaptics.exe
File opened (read-only)	\??\H:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\Y:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\N:	._cache_Synaptics.exe
File opened (read-only)	\??\T:	._cache_Synaptics.exe
File opened (read-only)	\??\U:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\I:	._cache_Synaptics.exe
File opened (read-only)	\??\M:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\I:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\W:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\X:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\R:	._cache_Synaptics.exe
File opened (read-only)	\??\W:	._cache_Synaptics.exe
File opened (read-only)	\??\S:	._cache_Synaptics.exe
File opened (read-only)	\??\K:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\L:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\O:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\K:	._cache_Synaptics.exe
File opened (read-only)	\??\O:	._cache_Synaptics.exe
File opened (read-only)	\??\N:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\P:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\R:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\S:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\T:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\Z:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened (read-only)	\??\H:	._cache_Synaptics.exe
File opened (read-only)	\??\E:	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Terms.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Terms.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Terms.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 29 IoCs

pid	Process
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Terms.exe	._cache_Synaptics.exe
File opened for modification	C:\Program Files (x86)\Terms.exe	._cache_Synaptics.exe
File created	C:\Program Files (x86)\Aooqmyy.exe	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
File opened for modification	C:\Program Files (x86)\Aooqmyy.exe	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}\WpadDecisionTime = d0b1b4a77acbd901	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}\WpadDecisionReason = "1"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b\WpadDecision = "0"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b\WpadDecisionTime = 503e72b07acbd901	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b\WpadDetectedUrl	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}\WpadNetworkName = "Network 2"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}\WpadDecisionReason = "1"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}\be-f1-ec-57-2b-5b	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}\WpadDecisionTime = b01ffab97acbd901	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}\be-f1-ec-57-2b-5b	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b\WpadDecisionTime = d0b1b4a77acbd901	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}\be-f1-ec-57-2b-5b	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0041000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0041000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b\WpadDecisionTime = 503e72b07acbd901	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0041000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b\WpadDecision = "0"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b\WpadDecisionTime = b01ffab97acbd901	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b\WpadDecisionTime = d0b1b4a77acbd901	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}\WpadDecisionTime = 503e72b07acbd901	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}\WpadDecisionReason = "1"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0041000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}\WpadDecision = "0"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b\WpadDecisionReason = "1"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}\WpadNetworkName = "Network 2"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84625169-F7B6-4AC4-8585-08C2E3D4DC73}\WpadDecision = "0"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b\WpadDetectedUrl	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b\WpadDecisionReason = "1"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-f1-ec-57-2b-5b\WpadDecision = "0"	Terms.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1608	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
1068	._cache_Synaptics.exe
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1608	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2304	3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe	30
PID 3048 wrote to memory of 2304	3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe	30
PID 3048 wrote to memory of 2304	3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe	30
PID 3048 wrote to memory of 2304	3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe	30
PID 3048 wrote to memory of 1684	3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe	34
PID 3048 wrote to memory of 1684	3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe	34
PID 3048 wrote to memory of 1684	3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe	34
PID 3048 wrote to memory of 1684	3048	673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe	34
PID 1684 wrote to memory of 600	1684	computer.exe	35
PID 1684 wrote to memory of 600	1684	computer.exe	35
PID 1684 wrote to memory of 600	1684	computer.exe	35
PID 1684 wrote to memory of 600	1684	computer.exe	35
PID 1684 wrote to memory of 1812	1684	computer.exe	36
PID 1684 wrote to memory of 1812	1684	computer.exe	36
PID 1684 wrote to memory of 1812	1684	computer.exe	36
PID 1684 wrote to memory of 1812	1684	computer.exe	36
PID 1812 wrote to memory of 1068	1812	Synaptics.exe	37
PID 1812 wrote to memory of 1068	1812	Synaptics.exe	37
PID 1812 wrote to memory of 1068	1812	Synaptics.exe	37
PID 1812 wrote to memory of 1068	1812	Synaptics.exe	37
PID 2716 wrote to memory of 1324	2716	Terms.exe	43
PID 2716 wrote to memory of 1324	2716	Terms.exe	43
PID 2716 wrote to memory of 1324	2716	Terms.exe	43
PID 2716 wrote to memory of 1324	2716	Terms.exe	43
PID 1324 wrote to memory of 1312	1324	Terms.exe	44
PID 1324 wrote to memory of 1312	1324	Terms.exe	44
PID 1324 wrote to memory of 1312	1324	Terms.exe	44
PID 1324 wrote to memory of 1312	1324	Terms.exe	44

C:\Users\Admin\AppData\Local\Temp\673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe
"C:\Users\Admin\AppData\Local\Temp\673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c md C:\windowss64
  2⤵
  PID:2304
- C:\windowss64\computer.exe
  "C:\windowss64\computer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"
    3⤵
    - Executes dropped EXE
    PID:600
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:1068

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Program Files (x86)\Terms.exe
"C:\Program Files (x86)\Terms.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files (x86)\Terms.exe
  "C:\Program Files (x86)\Terms.exe" Win7
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Program Files (x86)\Terms.exe
    "C:\Program Files (x86)\Terms.exe" Win7
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:1312

C:\Program Files (x86)\Aooqmyy.exe
"C:\Program Files (x86)\Aooqmyy.exe"
1⤵
- Executes dropped EXE
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Aooqmyy.exe

Filesize
862KB

MD5
8f246355b24f2547c03edc128aea377e

SHA1
352b5b12807c8573168838751547ea63f58a9b0a

SHA256
673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6

SHA512
36dfd95982af2892b2b7fd9ffdf44821e9ee22ed5d2f81c4f74815fa4f9d7ccf6e285a6fe52c93c3bbc4d40f5655e824665d828aa02e4d3e45175b2ba4a67792

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkoWSFUK.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
memory/1096-9668-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/1096-8853-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/1608-8846-0x0000000071E9D000-0x0000000071EA8000-memory.dmp

Filesize
44KB

Download
memory/1608-8812-0x0000000071E9D000-0x0000000071EA8000-memory.dmp

Filesize
44KB

Download
memory/1684-8765-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1812-8837-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1812-8796-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3048-896-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-900-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-2601-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/3048-2602-0x0000000001E40000-0x0000000001FC1000-memory.dmp

Filesize
1.5MB

Download
memory/3048-4526-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/3048-8742-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-8747-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/3048-8749-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/3048-922-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-924-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-926-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-918-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-916-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-908-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-910-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-912-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-914-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-902-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-904-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-906-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-898-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-920-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-54-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/3048-892-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-894-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-886-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-888-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-890-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-882-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-884-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-880-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-874-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-876-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-878-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-872-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-865-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-866-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-870-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-8890-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/3048-868-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/3048-55-0x0000000076BA0000-0x0000000076BE7000-memory.dmp

Filesize
284KB

Download