xmrig | 31fcc1a7c79fa0e760d81e479154824551be394658821275380c9fc45343ae22

Analysis

max time kernel
31s
max time network
35s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13-08-2023 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scvsots.exe
Size

2.1MB
MD5

fd409d4d20e580215c1ec0803eed9725
SHA1

02f9cf94ed6ab9e780755215857c9ba0a3e25065
SHA256

483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79
SHA512

253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38
SSDEEP

49152:Sq6zl3M9b5H5RB4jyVzsb0cUgq0EtlR3vOtNhHduFYq4sTm:Sq6zMrSyNsb0fP0yitNh5qNS

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 29 IoCs

miner

Processes:

resource	yara_rule
behavioral22/memory/2556-58-0x0000000000400000-0x00000000007D8000-memory.dmp	xmrig
\Windows\Temp\Networks\taskmgr.exe	xmrig
C:\Windows\Temp\Networks\taskmgr.exe	xmrig
behavioral22/memory/2180-65-0x0000000000400000-0x00000000007D8000-memory.dmp	xmrig
behavioral22/memory/2180-66-0x0000000000400000-0x00000000007D8000-memory.dmp	xmrig
\Windows\Temp\Networks\taskmgr.exe	xmrig
C:\Windows\Temp\Networks\taskmgr.exe	xmrig
\Windows\Temp\Networks\taskmgr.exe	xmrig
C:\Windows\Temp\Networks\taskmgr.exe	xmrig
\Windows\Temp\Networks\taskmgr.exe	xmrig
C:\Windows\Temp\Networks\taskmgr.exe	xmrig
C:\Windows\Temp\Networks\taskmgr.exe	xmrig
\Windows\Temp\Networks\taskmgr.exe	xmrig
C:\Windows\Temp\Networks\taskmgr.exe	xmrig
\Windows\Temp\Networks\taskmgr.exe	xmrig
C:\Windows\Temp\Networks\taskmgr.exe	xmrig
\Windows\Temp\Networks\taskmgr.exe	xmrig
C:\Windows\Temp\Networks\taskmgr.exe	xmrig
behavioral22/memory/2180-237-0x0000000000400000-0x00000000007D8000-memory.dmp	xmrig
\Windows\Temp\Networks\taskmgr.exe	xmrig
C:\Windows\Temp\Networks\taskmgr.exe	xmrig
C:\Windows\TEMP\Networks\taskmgr.exe	xmrig
behavioral22/memory/2960-247-0x0000000000400000-0x00000000007D8000-memory.dmp	xmrig
C:\Windows\Temp\Networks\taskmgr.exe	xmrig
\Windows\Temp\Networks\taskmgr.exe	xmrig
C:\Windows\Temp\Networks\taskmgr.exe	xmrig
\Windows\Temp\Networks\taskmgr.exe	xmrig
\Windows\Temp\Networks\taskmgr.exe	xmrig
C:\Windows\Temp\Networks\taskmgr.exe	xmrig

Sets file execution options in registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

scvsots.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	scvsots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	scvsots.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	scvsots.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	scvsots.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	scvsots.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	scvsots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	scvsots.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	scvsots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	scvsots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	scvsots.exe

Executes dropped EXE 17 IoCs

Processes:

scvsots.exetaskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exewimnat.exeooaaya.exetaskmgr.exeopperce.exezmtrwm.exetaskmgr.exetaskmgr.exetaskmgr.exescvsots.exetaskmgr.exetaskmgr.exetaskmgr.exe

pid	process
2180	scvsots.exe
2896	taskmgr.exe
2716	taskmgr.exe
2152	taskmgr.exe
2820	taskmgr.exe
2692	wimnat.exe
1808	ooaaya.exe
1672	taskmgr.exe
1080	opperce.exe
336	zmtrwm.exe
1936	taskmgr.exe
2468	taskmgr.exe
1920	taskmgr.exe
2960	scvsots.exe
2940	taskmgr.exe
2852	taskmgr.exe
2164	taskmgr.exe

Loads dropped DLL 15 IoCs

Processes:

scvsots.exe

pid	process
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral22/memory/2556-54-0x0000000000400000-0x00000000007D8000-memory.dmp	upx
C:\Windows\scvsots.exe	upx
behavioral22/memory/2180-57-0x0000000000400000-0x00000000007D8000-memory.dmp	upx
behavioral22/memory/2556-58-0x0000000000400000-0x00000000007D8000-memory.dmp	upx
behavioral22/memory/2180-65-0x0000000000400000-0x00000000007D8000-memory.dmp	upx
behavioral22/memory/2180-66-0x0000000000400000-0x00000000007D8000-memory.dmp	upx
C:\Windows\scvsots.exe	upx
behavioral22/memory/2180-237-0x0000000000400000-0x00000000007D8000-memory.dmp	upx
C:\Windows\ime\scvsots.exe	upx
C:\Windows\IME\scvsots.exe	upx
behavioral22/memory/2960-245-0x0000000000400000-0x00000000007D8000-memory.dmp	upx
behavioral22/memory/2960-247-0x0000000000400000-0x00000000007D8000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

scvsots.exe

description	ioc	process
File opened (read-only)	\??\P:	scvsots.exe
File opened (read-only)	\??\R:	scvsots.exe
File opened (read-only)	\??\V:	scvsots.exe
File opened (read-only)	\??\B:	scvsots.exe
File opened (read-only)	\??\S:	scvsots.exe
File opened (read-only)	\??\Y:	scvsots.exe
File opened (read-only)	\??\T:	scvsots.exe
File opened (read-only)	\??\U:	scvsots.exe
File opened (read-only)	\??\E:	scvsots.exe
File opened (read-only)	\??\G:	scvsots.exe
File opened (read-only)	\??\K:	scvsots.exe
File opened (read-only)	\??\L:	scvsots.exe
File opened (read-only)	\??\N:	scvsots.exe
File opened (read-only)	\??\Q:	scvsots.exe
File opened (read-only)	\??\W:	scvsots.exe
File opened (read-only)	\??\X:	scvsots.exe
File opened (read-only)	\??\Z:	scvsots.exe
File opened (read-only)	\??\A:	scvsots.exe
File opened (read-only)	\??\H:	scvsots.exe
File opened (read-only)	\??\I:	scvsots.exe
File opened (read-only)	\??\J:	scvsots.exe
File opened (read-only)	\??\M:	scvsots.exe
File opened (read-only)	\??\O:	scvsots.exe

Creates a Windows Service
persistence

Drops file in System32 directory 5 IoCs

Processes:

opperce.exescvsots.exewimnat.exe

description	ioc	process
File created	C:\Windows\SysWOW64\zmtrwm.exe	opperce.exe
File opened for modification	C:\Windows\SysWOW64\zmtrwm.exe	opperce.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	scvsots.exe
File created	C:\Windows\SysWOW64\ooaaya.exe	wimnat.exe
File opened for modification	C:\Windows\SysWOW64\ooaaya.exe	wimnat.exe

Drops file in Windows directory 58 IoCs

Processes:

scvsots.exescvsots.exe

description	ioc	process
File opened for modification	C:\Windows\scvsots.exe	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\ssleay32.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\cnli-1.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\libeay32.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\coli-0.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\AppCapture_x64.dll	scvsots.exe
File created	C:\Windows\spoolsrv.xml	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\AppCapture_x64.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\crli-0.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\trch-1.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\spoolsrv.xml	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\svchost.xml	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\svchost.exe	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\svchost.xml	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\spoolsrv.xml	scvsots.exe
File opened for modification	C:\Windows\svchost.xml	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\libeay32.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\libxml2.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\AppCapture_x32.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\coli-0.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\crli-0.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\tibe-2.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\tucl-1.dll	scvsots.exe
File opened for modification	C:\Windows\spoolsrv.xml	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\tibe-2.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\exma-1.dll	scvsots.exe
File opened for modification	C:\Windows\InfusedAppe\Priess\ip.txt	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\svchost.xml	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\ucl.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\spoolsrv.xml	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\ucl.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\svchost.xml	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\exma-1.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\posh-0.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\spoolsrv.exe	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\trch-1.dll	scvsots.exe
File created	C:\Windows\scvsots.exe	scvsots.exe
File created	C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exe	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\cnli-1.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\tucl-1.dll	scvsots.exe
File opened for modification	C:\Windows\ime\scvsots.exe	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\libxml2.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\ssleay32.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\trfo-2.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\svchost.exe	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\trfo-2.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\AppCapture_x32.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\xdvl-0.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\Corporate\scvhost.exe	scvsots.exe
File created	C:\Windows\InfusedAppe\Priess\ip.txt	scvsots.exe
File created	C:\Windows\ime\scvsots.exe	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\zlib1.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\spoolsrv.xml	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\posh-0.dll	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\spoolsrv.exe	scvsots.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\xdvl-0.dll	scvsots.exe
File created	C:\Windows\svchost.xml	scvsots.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\zlib1.dll	scvsots.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1692 sc.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2488 schtasks.exe
2216 schtasks.exe
3020 schtasks.exe

pid	process
1692	sc.exe

pid	process
2488	schtasks.exe
2216	schtasks.exe
3020	schtasks.exe

Modifies data under HKEY_USERS 30 IoCs

Processes:

ooaaya.exescvsots.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	ooaaya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ooaaya.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	scvsots.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	scvsots.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\WpadDecision = "0"	scvsots.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-77-e4-86-2b-a8\WpadDecisionTime = 4058a0ae14ced901	scvsots.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	scvsots.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\WpadDecisionTime = 4058a0ae14ced901	scvsots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	scvsots.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ooaaya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	scvsots.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	scvsots.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\WpadDecisionReason = "1"	scvsots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	scvsots.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f006e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	scvsots.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\26-77-e4-86-2b-a8	scvsots.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	ooaaya.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	scvsots.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\WpadNetworkName = "Network 2"	scvsots.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-77-e4-86-2b-a8\WpadDecisionReason = "1"	scvsots.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	ooaaya.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	scvsots.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-77-e4-86-2b-a8	scvsots.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	scvsots.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-77-e4-86-2b-a8\WpadDecision = "0"	scvsots.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	scvsots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	scvsots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	ooaaya.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	scvsots.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}	scvsots.exe

Modifies registry class 6 IoCs

Processes:

scvsots.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	scvsots.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	scvsots.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	scvsots.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	scvsots.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	scvsots.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	scvsots.exe

Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

scvsots.exe

pid process

2960 scvsots.exe

pid	process
2960	scvsots.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

scvsots.exeooaaya.exe

pid	process
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
1808	ooaaya.exe
2180	scvsots.exe
1808	ooaaya.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
1808	ooaaya.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
1808	ooaaya.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
1808	ooaaya.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
1808	ooaaya.exe
2180	scvsots.exe
1808	ooaaya.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
1808	ooaaya.exe
2180	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

scvsots.exe

pid process

2556 scvsots.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

scvsots.exe

description	pid	process
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe
Token: SeDebugPrivilege	2180	scvsots.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

scvsots.exescvsots.exewimnat.exeooaaya.exeopperce.exezmtrwm.exescvsots.exe

pid	process
2556	scvsots.exe
2556	scvsots.exe
2180	scvsots.exe
2180	scvsots.exe
2692	wimnat.exe
1808	ooaaya.exe
1080	opperce.exe
336	zmtrwm.exe
2960	scvsots.exe
2960	scvsots.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

scvsots.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2180 wrote to memory of 2896	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2896	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2896	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2896	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 276	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 276	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 276	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 276	2180	scvsots.exe	cmd.exe
PID 276 wrote to memory of 2940	276	cmd.exe	schtasks.exe
PID 276 wrote to memory of 2940	276	cmd.exe	schtasks.exe
PID 276 wrote to memory of 2940	276	cmd.exe	schtasks.exe
PID 276 wrote to memory of 2940	276	cmd.exe	schtasks.exe
PID 2180 wrote to memory of 2716	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2716	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2716	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2716	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2152	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2152	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2152	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2152	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2820	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2820	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2820	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2820	2180	scvsots.exe	taskmgr.exe
PID 2180 wrote to memory of 2740	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2740	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2740	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2740	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2760	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2760	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2760	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2760	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2780	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2780	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2780	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2780	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2828	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2828	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2828	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2828	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2540	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2540	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2540	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2540	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 308	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 308	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 308	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 308	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2340	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2340	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2340	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2340	2180	scvsots.exe	cmd.exe
PID 2180 wrote to memory of 2692	2180	scvsots.exe	wimnat.exe
PID 2180 wrote to memory of 2692	2180	scvsots.exe	wimnat.exe
PID 2180 wrote to memory of 2692	2180	scvsots.exe	wimnat.exe
PID 2180 wrote to memory of 2692	2180	scvsots.exe	wimnat.exe
PID 2760 wrote to memory of 2488	2760	cmd.exe	schtasks.exe
PID 2760 wrote to memory of 2488	2760	cmd.exe	schtasks.exe
PID 2760 wrote to memory of 2488	2760	cmd.exe	schtasks.exe
PID 2760 wrote to memory of 2488	2760	cmd.exe	schtasks.exe
PID 308 wrote to memory of 2644	308	cmd.exe	net.exe
PID 308 wrote to memory of 2644	308	cmd.exe	net.exe
PID 308 wrote to memory of 2644	308	cmd.exe	net.exe
PID 308 wrote to memory of 2644	308	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\scvsots.exe
"C:\Users\Admin\AppData\Local\Temp\scvsots.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2556

C:\Windows\scvsots.exe
C:\Windows\scvsots.exe
1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /delete /tn * /f
2⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn * /f
3⤵
PID:2940

C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
2⤵
- Executes dropped EXE
PID:2896

C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
2⤵
- Executes dropped EXE
PID:2716

C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
2⤵
- Executes dropped EXE
PID:2152

C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c sc config LanmanServer start= disabled
2⤵
PID:2340

C:\Windows\SysWOW64\sc.exe
sc config LanmanServer start= disabled
3⤵
- Launches sc.exe
PID:1692

C:\Windows\TEMP\wimnat.exe
C:\Windows\TEMP\wimnat.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop LanmanServer
2⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\net.exe
net stop LanmanServer
3⤵
PID:2644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop LanmanServer
4⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop MpsSvc
2⤵
PID:2540

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
3⤵
PID:2372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
4⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop SharedAccess
2⤵
PID:2828

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
3⤵
PID:3008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
4⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /sc minute /mo 1 /tn "Flash" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F"
2⤵
PID:2780

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Flash" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F"
3⤵
- Creates scheduled task(s)
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /sc minute /mo 1 /tn "Netframework" /ru system /tr "cmd /c echo Y|cacls C:\Windows\scvsots.exe /p everyone:F"
2⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /sc minute /mo 1 /tn "Miscfost" /ru system /tr "cmd /c C:\Windows\ime\scvsots.exe"
2⤵
PID:2740

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Miscfost" /ru system /tr "cmd /c C:\Windows\ime\scvsots.exe"
3⤵
- Creates scheduled task(s)
PID:2216

C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
2⤵
- Executes dropped EXE
PID:1672

C:\Windows\TEMP\opperce.exe
C:\Windows\TEMP\opperce.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
2⤵
- Executes dropped EXE
PID:1936

C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
2⤵
- Executes dropped EXE
PID:1920

C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
2⤵
- Executes dropped EXE
PID:2940

C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
2⤵
- Executes dropped EXE
PID:2852

C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
2⤵
- Executes dropped EXE
PID:2164

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Netframework" /ru system /tr "cmd /c echo Y|cacls C:\Windows\scvsots.exe /p everyone:F"
1⤵
- Creates scheduled task(s)
PID:2488

C:\Windows\SysWOW64\ooaaya.exe
C:\Windows\SysWOW64\ooaaya.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\SysWOW64\zmtrwm.exe
C:\Windows\SysWOW64\zmtrwm.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:336

C:\Windows\system32\taskeng.exe
taskeng.exe {D1562A46-51A3-4022-A1A0-2D7E6427549E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1580

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F
2⤵
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2912

C:\Windows\system32\cacls.exe
cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F
3⤵
PID:2932

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\scvsots.exe
2⤵
PID:1984

C:\Windows\ime\scvsots.exe
C:\Windows\ime\scvsots.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2960

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\scvsots.exe /p everyone:F
2⤵
PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2632

C:\Windows\system32\cacls.exe
cacls C:\Windows\scvsots.exe /p everyone:F
3⤵
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IME\scvsots.exe
Filesize
2.1MB

MD5
fd409d4d20e580215c1ec0803eed9725

SHA1
02f9cf94ed6ab9e780755215857c9ba0a3e25065

SHA256
483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79

SHA512
253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38

Download Submit
C:\Windows\InfusedAppe\LocalService\spoolsrv.xml
Filesize
7KB

MD5
497080fed2000e8b49ee2e97e54036b1

SHA1
4af3fae881a80355dd09df6e736203c30c4faac5

SHA256
756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380

SHA512
4f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df

Download Submit
C:\Windows\InfusedAppe\LocalService\svchost.xml
Filesize
5KB

MD5
09d45ae26830115fd8d9cdc2aa640ca5

SHA1
41a6ad8d88b6999ac8a3ff00dd9641a37ee20933

SHA256
cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de

SHA512
1a97f62f76f6f5a7b668eadb55f08941b1d8dfed4a28c4d7a4f2494ff57e998407ec2d0fedaf7f670eb541b1fda40ca5e429d4d2a87007ec45ea5d10abd93aa5

Download Submit
C:\Windows\SysWOW64\ooaaya.exe
Filesize
72KB

MD5
2334bb8baf5e062683d8ec67b7ac531e

SHA1
5419ddccabaa0a0b98fd6783c8341012c40db522

SHA256
6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e

SHA512
ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8

Download Submit
C:\Windows\SysWOW64\zmtrwm.exe
Filesize
72KB

MD5
a7195beae808ba6cd4e4e373f4b540ed

SHA1
16ee2c2da78116fe3a08aeef07b25df4455a5736

SHA256
bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614

SHA512
6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3

Download Submit
C:\Windows\TEMP\Networks\config.json
Filesize
623B

MD5
490fb7bd62699dadef26dac8e88eefa3

SHA1
e4bf283392140ab9c01fbb2fae68a078c17d78e5

SHA256
f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04

SHA512
911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Download Submit
C:\Windows\TEMP\Networks\config.json
Filesize
623B

MD5
490fb7bd62699dadef26dac8e88eefa3

SHA1
e4bf283392140ab9c01fbb2fae68a078c17d78e5

SHA256
f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04

SHA512
911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Download Submit
C:\Windows\TEMP\Networks\config.json
Filesize
623B

MD5
490fb7bd62699dadef26dac8e88eefa3

SHA1
e4bf283392140ab9c01fbb2fae68a078c17d78e5

SHA256
f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04

SHA512
911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Download Submit
C:\Windows\TEMP\Networks\config.json
Filesize
623B

MD5
490fb7bd62699dadef26dac8e88eefa3

SHA1
e4bf283392140ab9c01fbb2fae68a078c17d78e5

SHA256
f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04

SHA512
911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Download Submit
C:\Windows\TEMP\Networks\config.json
Filesize
623B

MD5
490fb7bd62699dadef26dac8e88eefa3

SHA1
e4bf283392140ab9c01fbb2fae68a078c17d78e5

SHA256
f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04

SHA512
911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Download Submit
C:\Windows\TEMP\Networks\config.json
Filesize
623B

MD5
490fb7bd62699dadef26dac8e88eefa3

SHA1
e4bf283392140ab9c01fbb2fae68a078c17d78e5

SHA256
f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04

SHA512
911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Download Submit
C:\Windows\TEMP\Networks\config.json
Filesize
623B

MD5
490fb7bd62699dadef26dac8e88eefa3

SHA1
e4bf283392140ab9c01fbb2fae68a078c17d78e5

SHA256
f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04

SHA512
911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Download Submit
C:\Windows\TEMP\Networks\config.json
Filesize
623B

MD5
490fb7bd62699dadef26dac8e88eefa3

SHA1
e4bf283392140ab9c01fbb2fae68a078c17d78e5

SHA256
f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04

SHA512
911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Download Submit
C:\Windows\TEMP\Networks\config.json
Filesize
623B

MD5
490fb7bd62699dadef26dac8e88eefa3

SHA1
e4bf283392140ab9c01fbb2fae68a078c17d78e5

SHA256
f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04

SHA512
911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Download Submit
C:\Windows\TEMP\Networks\config.json
Filesize
623B

MD5
490fb7bd62699dadef26dac8e88eefa3

SHA1
e4bf283392140ab9c01fbb2fae68a078c17d78e5

SHA256
f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04

SHA512
911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Download Submit
C:\Windows\TEMP\Networks\config.json
Filesize
623B

MD5
490fb7bd62699dadef26dac8e88eefa3

SHA1
e4bf283392140ab9c01fbb2fae68a078c17d78e5

SHA256
f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04

SHA512
911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Download Submit
C:\Windows\TEMP\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
C:\Windows\TEMP\opperce.exe
Filesize
72KB

MD5
a7195beae808ba6cd4e4e373f4b540ed

SHA1
16ee2c2da78116fe3a08aeef07b25df4455a5736

SHA256
bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614

SHA512
6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3

Download Submit
C:\Windows\TEMP\wimnat.exe
Filesize
72KB

MD5
2334bb8baf5e062683d8ec67b7ac531e

SHA1
5419ddccabaa0a0b98fd6783c8341012c40db522

SHA256
6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e

SHA512
ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8

Download Submit
C:\Windows\Temp\Networks\config.json
Filesize
623B

MD5
490fb7bd62699dadef26dac8e88eefa3

SHA1
e4bf283392140ab9c01fbb2fae68a078c17d78e5

SHA256
f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04

SHA512
911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Download Submit
C:\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
C:\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
C:\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
C:\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
C:\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
C:\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
C:\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
C:\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
C:\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
C:\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
C:\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
C:\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
C:\Windows\Temp\opperce.exe
Filesize
72KB

MD5
a7195beae808ba6cd4e4e373f4b540ed

SHA1
16ee2c2da78116fe3a08aeef07b25df4455a5736

SHA256
bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614

SHA512
6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3

Download Submit
C:\Windows\Temp\wimnat.exe
Filesize
72KB

MD5
2334bb8baf5e062683d8ec67b7ac531e

SHA1
5419ddccabaa0a0b98fd6783c8341012c40db522

SHA256
6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e

SHA512
ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8

Download Submit
C:\Windows\Temp\wimnat.exe
Filesize
72KB

MD5
2334bb8baf5e062683d8ec67b7ac531e

SHA1
5419ddccabaa0a0b98fd6783c8341012c40db522

SHA256
6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e

SHA512
ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8

Download Submit
C:\Windows\ime\scvsots.exe
Filesize
2.1MB

MD5
fd409d4d20e580215c1ec0803eed9725

SHA1
02f9cf94ed6ab9e780755215857c9ba0a3e25065

SHA256
483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79

SHA512
253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38

Download Submit
C:\Windows\scvsots.exe
Filesize
2.1MB

MD5
fd409d4d20e580215c1ec0803eed9725

SHA1
02f9cf94ed6ab9e780755215857c9ba0a3e25065

SHA256
483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79

SHA512
253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38

Download Submit
C:\Windows\scvsots.exe
Filesize
2.1MB

MD5
fd409d4d20e580215c1ec0803eed9725

SHA1
02f9cf94ed6ab9e780755215857c9ba0a3e25065

SHA256
483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79

SHA512
253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38

Download Submit
\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
\Windows\Temp\Networks\taskmgr.exe
Filesize
481KB

MD5
458a2b86b2c610cc66b3aa081c45584b

SHA1
1771b2d47e29076ef9caaadc520cd3f73cbcbae2

SHA256
ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e

SHA512
6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

Download Submit
\Windows\Temp\opperce.exe
Filesize
72KB

MD5
a7195beae808ba6cd4e4e373f4b540ed

SHA1
16ee2c2da78116fe3a08aeef07b25df4455a5736

SHA256
bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614

SHA512
6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3

Download Submit
\Windows\Temp\opperce.exe
Filesize
72KB

MD5
a7195beae808ba6cd4e4e373f4b540ed

SHA1
16ee2c2da78116fe3a08aeef07b25df4455a5736

SHA256
bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614

SHA512
6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3

Download Submit
\Windows\Temp\wimnat.exe
Filesize
72KB

MD5
2334bb8baf5e062683d8ec67b7ac531e

SHA1
5419ddccabaa0a0b98fd6783c8341012c40db522

SHA256
6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e

SHA512
ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8

Download Submit
\Windows\Temp\wimnat.exe
Filesize
72KB

MD5
2334bb8baf5e062683d8ec67b7ac531e

SHA1
5419ddccabaa0a0b98fd6783c8341012c40db522

SHA256
6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e

SHA512
ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8

Download Submit
memory/2180-57-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/2180-237-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/2180-66-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/2180-65-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/2556-58-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/2556-54-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/2692-92-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2960-247-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/2960-245-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download