6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
25/08/2023, 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe
Size

588KB
MD5

3f30c26df81baf8a4f353c8c0022c509
SHA1

f6d1fcc950cbf3f6d85c5ca269fc43d8adb176fe
SHA256

6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2
SHA512

c5ea28aa707341ffe566756dc7ef21caae4c61b8cdd66495792221b1f6989af18135eeca19e2dac327b15c0208f4194805ad7c4e6d3c5fb36e67132e4d05f89c
SSDEEP

12288:EK5vwaWPAEJSeIXGydrR61FKohiLbJcx1PLXkqaZZ8:Z5vwa8TJE2yJ2FKohiLbwLXi

Score

10^/10

vmprotect

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 2176 created 272	2176	qwinsta.exe	21
PID 2176 created 272	2176	qwinsta.exe	21
PID 3000 created 272	3000	mshta.exe	21

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\	prevhost.exe

Unexpected DNS network traffic destination 22 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	183.60.83.19
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0005000000018e01-480.dat	vmprotect

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\asyncreg.log	prevhost.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	prevhost.exe
File created	C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\mbGedTRl.cat	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\o7VYCAJ.cat	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\GYb0kxT2G.cat	svchost.exe
File created	C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\GYb0kxT2G.cat	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\t0el01cM.cat	svchost.exe
File created	C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\t0el01cM.cat	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\mbGedTRl.cat	svchost.exe
File created	C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\o7VYCAJ.cat	svchost.exe
File opened for modification	C:\Windows\System32\dnsrsvlr.log	prevhost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\hzOJIB.tmp	prevhost.exe
File created	C:\Program Files\3T2bqUuYi.sys	prevhost.exe
File created	C:\Program Files\BZbZEo.tmp	prevhost.exe
File created	C:\Program Files\CO6uGGhE.sys	prevhost.exe
File created	C:\Program Files\ykfyAL.tmp	prevhost.exe
File created	C:\Program Files\44renXsZL.sys	prevhost.exe
File created	C:\Program Files\ZPtTjLLw.tmp	prevhost.exe
File created	C:\Program Files\nJBYRhx3.sys	prevhost.exe
File created	C:\Program Files\QejHAMg.tmp	prevhost.exe
File created	C:\Program Files\owznWmyoF.sys	prevhost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabE623.tmp	svchost.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarE624.tmp	svchost.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	Explorer.EXE
File opened for modification	C:\Windows\win.ini	prevhost.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.2345.com?90335-01141	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	Explorer.EXE

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	qwinsta.exe
2176	qwinsta.exe
2176	qwinsta.exe
2176	qwinsta.exe
2176	qwinsta.exe
2176	qwinsta.exe
3000	mshta.exe
3000	mshta.exe
3000	mshta.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
1288	Explorer.EXE
2732	prevhost.exe
2732	prevhost.exe
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE
2732	prevhost.exe
2732	prevhost.exe
1288	Explorer.EXE
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
1288	Explorer.EXE
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
1288	Explorer.EXE
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe
2732	prevhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1288	Explorer.EXE
2732	prevhost.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe
Token: SeTcbPrivilege	2956	6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe
Token: SeDebugPrivilege	2956	6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe
Token: SeDebugPrivilege	2176	qwinsta.exe
Token: SeTcbPrivilege	2176	qwinsta.exe
Token: SeCreateTokenPrivilege	2176	qwinsta.exe
Token: SeAssignPrimaryTokenPrivilege	2176	qwinsta.exe
Token: SeLockMemoryPrivilege	2176	qwinsta.exe
Token: SeIncreaseQuotaPrivilege	2176	qwinsta.exe
Token: SeMachineAccountPrivilege	2176	qwinsta.exe
Token: SeTcbPrivilege	2176	qwinsta.exe
Token: SeSecurityPrivilege	2176	qwinsta.exe
Token: SeTakeOwnershipPrivilege	2176	qwinsta.exe
Token: SeLoadDriverPrivilege	2176	qwinsta.exe
Token: SeSystemProfilePrivilege	2176	qwinsta.exe
Token: SeSystemtimePrivilege	2176	qwinsta.exe
Token: SeProfSingleProcessPrivilege	2176	qwinsta.exe
Token: SeIncBasePriorityPrivilege	2176	qwinsta.exe
Token: SeCreatePagefilePrivilege	2176	qwinsta.exe
Token: SeCreatePermanentPrivilege	2176	qwinsta.exe
Token: SeBackupPrivilege	2176	qwinsta.exe
Token: SeRestorePrivilege	2176	qwinsta.exe
Token: SeShutdownPrivilege	2176	qwinsta.exe
Token: SeDebugPrivilege	2176	qwinsta.exe
Token: SeAuditPrivilege	2176	qwinsta.exe
Token: SeSystemEnvironmentPrivilege	2176	qwinsta.exe
Token: SeChangeNotifyPrivilege	2176	qwinsta.exe
Token: SeRemoteShutdownPrivilege	2176	qwinsta.exe
Token: SeUndockPrivilege	2176	qwinsta.exe
Token: SeSyncAgentPrivilege	2176	qwinsta.exe
Token: SeEnableDelegationPrivilege	2176	qwinsta.exe
Token: SeManageVolumePrivilege	2176	qwinsta.exe
Token: SeImpersonatePrivilege	2176	qwinsta.exe
Token: SeCreateGlobalPrivilege	2176	qwinsta.exe
Token: 31	2176	qwinsta.exe
Token: 32	2176	qwinsta.exe
Token: 33	2176	qwinsta.exe
Token: 34	2176	qwinsta.exe
Token: 35	2176	qwinsta.exe
Token: SeDebugPrivilege	2176	qwinsta.exe
Token: SeDebugPrivilege	2176	qwinsta.exe
Token: SeDebugPrivilege	3000	mshta.exe
Token: SeTcbPrivilege	3000	mshta.exe
Token: SeCreateTokenPrivilege	3000	mshta.exe
Token: SeAssignPrimaryTokenPrivilege	3000	mshta.exe
Token: SeLockMemoryPrivilege	3000	mshta.exe
Token: SeIncreaseQuotaPrivilege	3000	mshta.exe
Token: SeMachineAccountPrivilege	3000	mshta.exe
Token: SeTcbPrivilege	3000	mshta.exe
Token: SeSecurityPrivilege	3000	mshta.exe
Token: SeTakeOwnershipPrivilege	3000	mshta.exe
Token: SeLoadDriverPrivilege	3000	mshta.exe
Token: SeSystemProfilePrivilege	3000	mshta.exe
Token: SeSystemtimePrivilege	3000	mshta.exe
Token: SeProfSingleProcessPrivilege	3000	mshta.exe
Token: SeIncBasePriorityPrivilege	3000	mshta.exe
Token: SeCreatePagefilePrivilege	3000	mshta.exe
Token: SeCreatePermanentPrivilege	3000	mshta.exe
Token: SeBackupPrivilege	3000	mshta.exe
Token: SeRestorePrivilege	3000	mshta.exe
Token: SeShutdownPrivilege	3000	mshta.exe
Token: SeDebugPrivilege	3000	mshta.exe
Token: SeAuditPrivilege	3000	mshta.exe
Token: SeSystemEnvironmentPrivilege	3000	mshta.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2176	2956	6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe	30
PID 2956 wrote to memory of 2176	2956	6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe	30
PID 2956 wrote to memory of 2176	2956	6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe	30
PID 2956 wrote to memory of 2176	2956	6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe	30
PID 2956 wrote to memory of 2176	2956	6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe	30
PID 2956 wrote to memory of 2176	2956	6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe	30
PID 2956 wrote to memory of 2176	2956	6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe	30
PID 2956 wrote to memory of 2176	2956	6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe	30
PID 2956 wrote to memory of 2176	2956	6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe	30
PID 2176 wrote to memory of 3000	2176	qwinsta.exe	32
PID 2176 wrote to memory of 3000	2176	qwinsta.exe	32
PID 2176 wrote to memory of 3000	2176	qwinsta.exe	32
PID 2176 wrote to memory of 3000	2176	qwinsta.exe	32
PID 2176 wrote to memory of 3000	2176	qwinsta.exe	32
PID 2176 wrote to memory of 3000	2176	qwinsta.exe	32
PID 2176 wrote to memory of 3000	2176	qwinsta.exe	32
PID 2176 wrote to memory of 3000	2176	qwinsta.exe	32
PID 2176 wrote to memory of 3000	2176	qwinsta.exe	32
PID 2176 wrote to memory of 2712	2176	qwinsta.exe	33
PID 2176 wrote to memory of 2712	2176	qwinsta.exe	33
PID 2176 wrote to memory of 2712	2176	qwinsta.exe	33
PID 2176 wrote to memory of 2712	2176	qwinsta.exe	33
PID 2176 wrote to memory of 2712	2176	qwinsta.exe	33
PID 2176 wrote to memory of 2712	2176	qwinsta.exe	33
PID 2176 wrote to memory of 2712	2176	qwinsta.exe	33
PID 2176 wrote to memory of 2712	2176	qwinsta.exe	33
PID 2176 wrote to memory of 2712	2176	qwinsta.exe	33
PID 3000 wrote to memory of 800	3000	mshta.exe	9
PID 3000 wrote to memory of 800	3000	mshta.exe	9
PID 3000 wrote to memory of 800	3000	mshta.exe	9
PID 3000 wrote to memory of 800	3000	mshta.exe	9
PID 3000 wrote to memory of 800	3000	mshta.exe	9
PID 3000 wrote to memory of 800	3000	mshta.exe	9
PID 3000 wrote to memory of 2732	3000	mshta.exe	34
PID 3000 wrote to memory of 2732	3000	mshta.exe	34
PID 3000 wrote to memory of 2732	3000	mshta.exe	34
PID 3000 wrote to memory of 800	3000	mshta.exe	9
PID 3000 wrote to memory of 2732	3000	mshta.exe	34
PID 3000 wrote to memory of 2732	3000	mshta.exe	34
PID 3000 wrote to memory of 2732	3000	mshta.exe	34
PID 3000 wrote to memory of 2732	3000	mshta.exe	34
PID 3000 wrote to memory of 2732	3000	mshta.exe	34
PID 2732 wrote to memory of 272	2732	prevhost.exe	21
PID 2732 wrote to memory of 272	2732	prevhost.exe	21
PID 2732 wrote to memory of 272	2732	prevhost.exe	21
PID 2732 wrote to memory of 272	2732	prevhost.exe	21
PID 2732 wrote to memory of 272	2732	prevhost.exe	21
PID 2732 wrote to memory of 1288	2732	prevhost.exe	18
PID 2732 wrote to memory of 1288	2732	prevhost.exe	18
PID 2732 wrote to memory of 1288	2732	prevhost.exe	18
PID 2732 wrote to memory of 1288	2732	prevhost.exe	18
PID 2732 wrote to memory of 1288	2732	prevhost.exe	18
PID 2732 wrote to memory of 1288	2732	prevhost.exe	18
PID 2732 wrote to memory of 272	2732	prevhost.exe	21
PID 2732 wrote to memory of 272	2732	prevhost.exe	21
PID 2732 wrote to memory of 272	2732	prevhost.exe	21
PID 2732 wrote to memory of 272	2732	prevhost.exe	21
PID 2732 wrote to memory of 272	2732	prevhost.exe	21
PID 2732 wrote to memory of 1288	2732	prevhost.exe	18
PID 2732 wrote to memory of 1288	2732	prevhost.exe	18
PID 2732 wrote to memory of 1288	2732	prevhost.exe	18
PID 2732 wrote to memory of 1288	2732	prevhost.exe	18
PID 2732 wrote to memory of 1288	2732	prevhost.exe	18
PID 2732 wrote to memory of 1288	2732	prevhost.exe	18

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:800

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288
- C:\Users\Admin\AppData\Local\Temp\6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe
  "C:\Users\Admin\AppData\Local\Temp\6d5ca93a540151d07bd7d9b72ab774ec58ce55d9685885b65103de26cf9bccb2.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\system32\qwinsta.exe
    "C:\Windows\system32\qwinsta.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:272
- C:\Windows\system32\mshta.exe
  "C:\Windows\system32\mshta.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- C:\Windows\system32\ctfmon.exe
  "C:\Windows\system32\ctfmon.exe"
  2⤵
  PID:2712
- C:\Windows\system32\prevhost.exe
  "C:\Windows\system32\prevhost.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\QejHAMg.tmp

Filesize
8KB

MD5
fd90a92f357d476953842d59e72d43e3

SHA1
ea189e994fd46eb909f961f4465aacd90fb89ed2

SHA256
3bb2c01a9943c7f96c40b12a9535317ff3f84c33fd84e1bf2cf190a294b3301b

SHA512
c7b391eed398662d865dc65c11100a56c74d9750a41064a54e023252f695b7b05cb1f3ecd76bb7a2020f5730af1c313f71dd86d962cfff80bc857cdd0b005582

Download Submit
C:\Program Files\ZPtTjLLw.tmp

Filesize
8KB

MD5
fd90a92f357d476953842d59e72d43e3

SHA1
ea189e994fd46eb909f961f4465aacd90fb89ed2

SHA256
3bb2c01a9943c7f96c40b12a9535317ff3f84c33fd84e1bf2cf190a294b3301b

SHA512
c7b391eed398662d865dc65c11100a56c74d9750a41064a54e023252f695b7b05cb1f3ecd76bb7a2020f5730af1c313f71dd86d962cfff80bc857cdd0b005582

Download Submit
C:\Program Files\hzOJIB.tmp

Filesize
8KB

MD5
fd90a92f357d476953842d59e72d43e3

SHA1
ea189e994fd46eb909f961f4465aacd90fb89ed2

SHA256
3bb2c01a9943c7f96c40b12a9535317ff3f84c33fd84e1bf2cf190a294b3301b

SHA512
c7b391eed398662d865dc65c11100a56c74d9750a41064a54e023252f695b7b05cb1f3ecd76bb7a2020f5730af1c313f71dd86d962cfff80bc857cdd0b005582

Download Submit
C:\Program Files\nJBYRhx3.sys

Filesize
926KB

MD5
1a07018da7a73fb8e0e19e692dcc1130

SHA1
b77ce01f7b4f6458d48ce0a971ca1fd733212570

SHA256
d021be4cac010e969430e043d4c58075ab80413a17311c66a9890c4e7e816163

SHA512
0febf2eb691682cf524fb5f5e555f64c8c2287871877e15a3e162c5570aa1b416cc3c457040d3644664b15760a66d58bec916fe20494ff20dff30295b5fd4eaa

Download Submit
C:\Program Files\ykfyAL.tmp

Filesize
8KB

MD5
fd90a92f357d476953842d59e72d43e3

SHA1
ea189e994fd46eb909f961f4465aacd90fb89ed2

SHA256
3bb2c01a9943c7f96c40b12a9535317ff3f84c33fd84e1bf2cf190a294b3301b

SHA512
c7b391eed398662d865dc65c11100a56c74d9750a41064a54e023252f695b7b05cb1f3ecd76bb7a2020f5730af1c313f71dd86d962cfff80bc857cdd0b005582

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
a6d65751fd92d7b5f1b69f12c0d9d1a3

SHA1
7035b789bd0dcffb9fa9e1d6edf4ff698af45be4

SHA256
a3eefd811e62a93c969233e13869640a947a7a57fd6a36f2e2727ee8177acb98

SHA512
b1a0880d3339d8f698dd5939cab86dade7c0ce8259d9fdb182665a0a1925ee15be3742ef81e34b907df05004c117eab22e257a08f8b4198496af7db632dd5e7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
c89e50e2bd97cacbc31b5caf4145d56b

SHA1
d52d5c60c26196125ee50cafbf19c8e26888b950

SHA256
4c2110be5fffaeff05aae6292687e2c92a986e7124f5c955953ece587860e7ba

SHA512
37207a15f779ebb6d31f967f0af7b538d70d56c4d61e4c6a80cbf2e996c5ca7c6b586f4e533c897544ebfdbad8ae26076fc110375bef348db033107c229b74fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
b81552855076cbbfec43ff801e6efc10

SHA1
a71be2fca1337710da39a9fcfba16ae73b858dd8

SHA256
81dc93333ad004426d013c668ba63789e7aff3a6197585da1fbe53a5257ffaba

SHA512
2b9a3a71eecba0c1b761a1dab5555e577138120597a46a991b9b215ddbe0e6889fc7dc6bb22985f1198b039df15a8d417ac6323642352453a719cfa82a1dee7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173

Filesize
540B

MD5
50841bc002fda0c8de5b55e24d5b6da1

SHA1
d90ff4fbb61e3a1790e18075797418f83c95585e

SHA256
da3d0a94679fc55b6d349e4ba46efda5df48dfe70ea03e5f3063c6d6f4e4dcd7

SHA512
1af0c3bd695713ac59481c10b70abd78632be6506d2d499a8bdb2f335dd3570acdc938d52cc240576f54d71fa211a873f1820cfb097b4c80c6313dac586ba9ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
b264d60685021e2a41af0831c254395a

SHA1
159e6aabe6f0b5e02eca46d9835bc7479b086c09

SHA256
38167535d530165cc176072a31116c0136f1b48a98a09cf5550cbbeaf452dff2

SHA512
0b141a46304292bba77aa3858e077b595b2d0aa5f2ff9acaa49506282d107b559d1c9de4141fcc87d5e9a4b33d8684ec0965a85e25689208d8c121f1556d818d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EC2559F4747982AD7180E2E6AE5C01F2

Filesize
536B

MD5
c54c1443a96857d60a8ba6e141207990

SHA1
b262e0d9e444510d5692405213c51fa80499196b

SHA256
8177b675207c333348b1e3351b5fa7b6e93a60aaa083f28e62ce305c505bdef1

SHA512
c31175c14e66e5a1822c726187cf1c410a17d6caf61ac32b87e534cab54bca03538ee9b9eb2562de7ec5188c38715b37a810972183b18be52ba73f56d9464114

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA5ED.tmp

Filesize
61KB

MD5
e56ec378251cd65923ad88c1e14d0b6e

SHA1
7f5d986e0a34dd81487f6439fb0446ffa52a712e

SHA256
32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

SHA512
2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ico80EF.exe

Filesize
236KB

MD5
70237c4573b17300b8b2beb99e502061

SHA1
315d491bb4262a97baa9bc121e9c7392414803a2

SHA256
eb2fd1d27499c84fd2e2a874d9205d6b8a302924412dbf5122989d5f6ac7dea8

SHA512
486297167036ff272c1e52776a7e723f230f0f2ca3bd24a1effa92ab79bcef353186940b8101268fcc0ccf742771a94f1d4d859a59705f52f3bd18ea6eefafb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ico80EF.exe

Filesize
236KB

MD5
70237c4573b17300b8b2beb99e502061

SHA1
315d491bb4262a97baa9bc121e9c7392414803a2

SHA256
eb2fd1d27499c84fd2e2a874d9205d6b8a302924412dbf5122989d5f6ac7dea8

SHA512
486297167036ff272c1e52776a7e723f230f0f2ca3bd24a1effa92ab79bcef353186940b8101268fcc0ccf742771a94f1d4d859a59705f52f3bd18ea6eefafb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcoF2CA.tmp

Filesize
50KB

MD5
c8a2f29429364314bcfc3fd1bcc2f4fa

SHA1
793ef26e259e1f6b19019b9fc20a119e8f5daaf1

SHA256
902d5136d86c38d0e5ba9b820c75a17b92162f15f92fe7989443fe22477c9ced

SHA512
eb768676f11faaf22a1a90465b5e0585b65fc547b0f735c3b9843a64cea0fdcad5c9f7ad1bc06e454c9e81477e2bbacdcd247fe18952224c2474ecf9cd399029

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcoFBFF.tmp

Filesize
66KB

MD5
3fb77ff39042c316943386b2f58f1d65

SHA1
180cb4975910173ed2b60197283cf44099b5450d

SHA256
70ce7a04c316202bed40fbdf9ff504be2011345436b07d2f26d0eb4a005a97fd

SHA512
90c31b2e9d1fbde3fcd70434d410ce69fa42dfbf045a902cf894b38650f505852c6eb0dac520c5955a5ca71b5215b9f2cd74480b8a5fa7066cfdb56abca1a724

Download Submit
C:\Users\Admin\AppData\Local\Temp\cache\2e66a61f.exe.ico

Filesize
278KB

MD5
4d95c26ad5f8ff3698c12cf02fcc8bea

SHA1
f973643f0bb99a65d514403231b3dad85281cdb0

SHA256
c6e8a5f9b8ab7cbd2b9d3ebce0f36dbb9c89d048f96b32cf83d48dddaa19a3a1

SHA512
a753a3daa5093d4e77d7dc57f28401d7fc016b6a7d962e37b630a0d05b8a136e4b1a9e0269433d151aaae703bb9c6f8bf3ce3ae61d0e374dc0426921fa9ff580

Download Submit
C:\Users\Admin\Desktop\51ÐÇ±ä-´ò½ð×¬Ç®.lnk

Filesize
1KB

MD5
1a20b473671f7bd3fef3e449cc88c0f5

SHA1
5b45a8f0d72fd67072f8cbe34407a8ebd6273ccf

SHA256
73f55efbf9ca848d2bb53e9ef88a98db65797da291480812d608c88006b5b879

SHA512
277cecc1fdbc7d9abac66628a6b77fd4bc98b9e5c3bb87e6b725cbd426b8fe9bf3ed4201624c32d5f8345c61d8dd5ba0150f4e55a6d0ec57ada9b06046d39db4

Download Submit
C:\Users\Admin\Desktop\DNF¸´¹Å.70.lnk

Filesize
1KB

MD5
66d3a68a44b7d744e23216e44b67327f

SHA1
83a250ecd671ed6ede6f1c4f9689f2bf5b1347c5

SHA256
be1365a54662da1fb0f5ef4e1fd13312e8a513bb58c4b35c3af68e87ebd1f53c

SHA512
6871276434f4ce196004b366de1d48cf104e18a3b1538576c58fa8b02cb2310f3588fe3e1f486f144bc998c19ee337b3813580481b76dbacbc85af300a3a89be

Download Submit
C:\Users\Admin\Desktop\¿ì½Ý×âºÅ.lnk

Filesize
1KB

MD5
a420fda101e7116bf1ae8debdbfcb61e

SHA1
6ced71557458d68e171a624036e4cbeb6cf1e1ba

SHA256
434ec92af27afdad78ed77e15da8e502e02ddf25933bea7dfbcc2605b5c896e3

SHA512
96f463e8fad21104a7d685a8a68cec2b93176d9315398fbdcb4efb58a8b9085baa391f2bcaa35c8ca75faa982ca8f0aea0104aeab834adfaddc7b4cc48f42169

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
192KB

MD5
4d429a9d0dcf880643b06cb64f876e99

SHA1
b2e863bcd4ed7f655ac0ca8127dda60c3ae81619

SHA256
9c4f0c3cd1891956867082c20cb2b0486d4d0ac6bf25190efdb4f5c215c8e1f2

SHA512
606710d15838e9153fb49286646ff243af387003764f7123c0799f02eea320186e66c698fc855fc7edda49760dee8d102800619223375d738f23ad52637238a9

Download Submit
C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\mbGedTRl.cat

Filesize
8KB

MD5
fd90a92f357d476953842d59e72d43e3

SHA1
ea189e994fd46eb909f961f4465aacd90fb89ed2

SHA256
3bb2c01a9943c7f96c40b12a9535317ff3f84c33fd84e1bf2cf190a294b3301b

SHA512
c7b391eed398662d865dc65c11100a56c74d9750a41064a54e023252f695b7b05cb1f3ecd76bb7a2020f5730af1c313f71dd86d962cfff80bc857cdd0b005582

Download Submit
memory/272-113-0x0000000000F00000-0x0000000000F1C000-memory.dmp

Filesize
112KB

Download
memory/272-100-0x0000000000B70000-0x0000000000B86000-memory.dmp

Filesize
88KB

Download
memory/272-163-0x00000000014F0000-0x00000000014F3000-memory.dmp

Filesize
12KB

Download
memory/272-166-0x0000000001520000-0x000000000153C000-memory.dmp

Filesize
112KB

Download
memory/800-59-0x0000000001DE0000-0x00000000021D0000-memory.dmp

Filesize
3.9MB

Download
memory/800-56-0x0000000001DE0000-0x00000000021D0000-memory.dmp

Filesize
3.9MB

Download
memory/800-93-0x0000000001DE0000-0x00000000021D0000-memory.dmp

Filesize
3.9MB

Download
memory/800-90-0x00000000022C0000-0x00000000023C0000-memory.dmp

Filesize
1024KB

Download
memory/1288-145-0x00000000064F0000-0x00000000065F0000-memory.dmp

Filesize
1024KB

Download
memory/1288-130-0x0000000002B80000-0x0000000002B83000-memory.dmp

Filesize
12KB

Download
memory/1288-171-0x000007FEF6220000-0x000007FEF6363000-memory.dmp

Filesize
1.3MB

Download
memory/1288-132-0x00000000064F0000-0x00000000065F0000-memory.dmp

Filesize
1024KB

Download
memory/1288-133-0x0000000002B90000-0x0000000002BE6000-memory.dmp

Filesize
344KB

Download
memory/1288-172-0x000007FEC3AD0000-0x000007FEC3ADA000-memory.dmp

Filesize
40KB

Download
memory/1288-136-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/1288-146-0x0000000002B90000-0x0000000002BE6000-memory.dmp

Filesize
344KB

Download
memory/2176-10-0x0000000002060000-0x0000000002490000-memory.dmp

Filesize
4.2MB

Download
memory/2176-39-0x0000000002060000-0x0000000002490000-memory.dmp

Filesize
4.2MB

Download
memory/2176-13-0x0000000002490000-0x0000000002590000-memory.dmp

Filesize
1024KB

Download
memory/2176-5-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2176-9-0x0000000002060000-0x0000000002490000-memory.dmp

Filesize
4.2MB

Download
memory/2176-7-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2176-38-0x0000000002060000-0x0000000002490000-memory.dmp

Filesize
4.2MB

Download
memory/2712-86-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2712-82-0x00000000023F0000-0x00000000027E0000-memory.dmp

Filesize
3.9MB

Download
memory/2712-37-0x00000000023F0000-0x00000000027E0000-memory.dmp

Filesize
3.9MB

Download
memory/2732-115-0x0000000000F00000-0x0000000000F1C000-memory.dmp

Filesize
112KB

Download
memory/2732-165-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/2732-116-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2732-117-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2732-118-0x0000000000F00000-0x0000000000F1C000-memory.dmp

Filesize
112KB

Download
memory/2732-120-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/2732-58-0x0000000000250000-0x00000000005DC000-memory.dmp

Filesize
3.5MB

Download
memory/2732-112-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/2732-111-0x0000000002110000-0x00000000024A6000-memory.dmp

Filesize
3.6MB

Download
memory/2732-135-0x0000000000F00000-0x0000000000F1C000-memory.dmp

Filesize
112KB

Download
memory/2732-71-0x000007FEBF990000-0x000007FEBF9A0000-memory.dmp

Filesize
64KB

Download
memory/2732-138-0x0000000000F00000-0x0000000000F1C000-memory.dmp

Filesize
112KB

Download
memory/2732-139-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/2732-141-0x0000000000F00000-0x0000000000F1C000-memory.dmp

Filesize
112KB

Download
memory/2732-140-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/2732-143-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/2732-142-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/2732-144-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/2732-72-0x0000000037950000-0x0000000037960000-memory.dmp

Filesize
64KB

Download
memory/2732-85-0x0000000037950000-0x0000000037960000-memory.dmp

Filesize
64KB

Download
memory/2732-147-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/2732-148-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/2732-87-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2732-83-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2732-81-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2732-114-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2732-80-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2732-167-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/2732-79-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2732-75-0x0000000002110000-0x00000000024A6000-memory.dmp

Filesize
3.6MB

Download
memory/2732-189-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2732-78-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/2732-76-0x000007FEBF990000-0x000007FEBF9A0000-memory.dmp

Filesize
64KB

Download
memory/2732-74-0x0000000002110000-0x00000000024A6000-memory.dmp

Filesize
3.6MB

Download
memory/2956-11-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2956-92-0x0000000000E30000-0x0000000000EC6000-memory.dmp

Filesize
600KB

Download
memory/2956-2-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2956-4-0x0000000077B10000-0x0000000077B11000-memory.dmp

Filesize
4KB

Download
memory/2956-0-0x0000000000E30000-0x0000000000EC6000-memory.dmp

Filesize
600KB

Download
memory/2956-3-0x000000006FB00000-0x000000006FB10000-memory.dmp

Filesize
64KB

Download
memory/2956-6-0x000000006FB00000-0x000000006FB10000-memory.dmp

Filesize
64KB

Download
memory/3000-41-0x00000000029A0000-0x0000000002AA0000-memory.dmp

Filesize
1024KB

Download
memory/3000-25-0x0000000000970000-0x0000000000973000-memory.dmp

Filesize
12KB

Download
memory/3000-23-0x0000000000970000-0x0000000000973000-memory.dmp

Filesize
12KB

Download
memory/3000-24-0x0000000000970000-0x0000000000973000-memory.dmp

Filesize
12KB

Download
memory/3000-14-0x0000000000180000-0x000000000056B000-memory.dmp

Filesize
3.9MB

Download
memory/3000-89-0x00000000029A0000-0x0000000002AA0000-memory.dmp

Filesize
1024KB

Download
memory/3000-30-0x0000000000DE0000-0x00000000011D0000-memory.dmp

Filesize
3.9MB

Download
memory/3000-18-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3000-68-0x0000000000DE0000-0x00000000011D0000-memory.dmp

Filesize
3.9MB

Download
memory/3000-69-0x0000000000DE0000-0x00000000011D0000-memory.dmp

Filesize
3.9MB

Download