4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18-10-2023 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
Size

4.5MB
MD5

a35b88f8716f20f5a89adf37c752f27a
SHA1

6c6ae45f46e3afc66bba24d94c49718eac416483
SHA256

4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38
SHA512

7e52886e3c4819e40fe9870a8763da79abf8d14bd26a3c87fed38188664521c4b2109cd2a55a736e9281f8292397adb91366e0fc09825993c37cd93d7b824441
SSDEEP

98304:70bHVHZF9AnZp4WvOhvSmEHXK8L6nMWcAI3uL81Ah4DH/mviccF:7wVHZ3Ep4W213WXK8LUveeg1c4DH/mv

Score

9^/10

evasion persistence

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	PTvrst.exe

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
3012	spolsvt.exe
2476	spolsvt.exe
2784	spolsvt.exe
1472	spolsvt.exe
1816	PTvrst.exe
2024	spolsvt.exe
2376	spolsvt.exe
1088	spolsvt.exe
868	spolsvt.exe
2240	spolsvt.exe
2844	spolsvt.exe
3020	spolsvt.exe
2640	spolsvt.exe
2452	spolsvt.exe
1940	spolsvt.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Wine	PTvrst.exe

Loads dropped DLL 16 IoCs

pid	Process
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
3012	spolsvt.exe
3012	spolsvt.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2784	spolsvt.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
1816	PTvrst.exe
2024	spolsvt.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2376	spolsvt.exe
868	spolsvt.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
3020	spolsvt.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2452	spolsvt.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe"	PTvrst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
1816	PTvrst.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 3012	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	29
PID 3012 set thread context of 2476	3012	spolsvt.exe	30
PID 2440 set thread context of 2784	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	31
PID 2784 set thread context of 1472	2784	spolsvt.exe	32
PID 2440 set thread context of 2024	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	35
PID 1816 set thread context of 2376	1816	PTvrst.exe	36
PID 2024 set thread context of 1088	2024	spolsvt.exe	37
PID 2440 set thread context of 868	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	38
PID 2376 set thread context of 2240	2376	spolsvt.exe	39
PID 868 set thread context of 2844	868	spolsvt.exe	40
PID 2440 set thread context of 3020	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	41
PID 3020 set thread context of 2640	3020	spolsvt.exe	42
PID 2440 set thread context of 2452	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	43
PID 2452 set thread context of 1940	2452	spolsvt.exe	44

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\DNomb\spolsvt.exe	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
File created	C:\Windows\DNomb\Mpec.mbt	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
File opened for modification	C:\Windows\DNomb\Mpec.mbt	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
File created	C:\Windows\DNomb\PTvrst.exe	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
3012	spolsvt.exe
3012	spolsvt.exe
2784	spolsvt.exe
2784	spolsvt.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
1816	PTvrst.exe
2024	spolsvt.exe
2024	spolsvt.exe
2376	spolsvt.exe
2376	spolsvt.exe
868	spolsvt.exe
868	spolsvt.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
3020	spolsvt.exe
3020	spolsvt.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2452	spolsvt.exe
2452	spolsvt.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	spolsvt.exe
Token: SeDebugPrivilege	1472	spolsvt.exe
Token: SeDebugPrivilege	1088	spolsvt.exe
Token: SeDebugPrivilege	2240	spolsvt.exe
Token: SeDebugPrivilege	2844	spolsvt.exe
Token: SeDebugPrivilege	2640	spolsvt.exe
Token: SeDebugPrivilege	1940	spolsvt.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
3012	spolsvt.exe
3012	spolsvt.exe
2784	spolsvt.exe
2784	spolsvt.exe
1816	PTvrst.exe
1816	PTvrst.exe
2024	spolsvt.exe
2024	spolsvt.exe
2376	spolsvt.exe
2376	spolsvt.exe
868	spolsvt.exe
868	spolsvt.exe
3020	spolsvt.exe
3020	spolsvt.exe
2452	spolsvt.exe
2452	spolsvt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 3012	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	29
PID 2440 wrote to memory of 3012	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	29
PID 2440 wrote to memory of 3012	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	29
PID 2440 wrote to memory of 3012	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	29
PID 2440 wrote to memory of 3012	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	29
PID 2440 wrote to memory of 3012	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	29
PID 2440 wrote to memory of 3012	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	29
PID 2440 wrote to memory of 3012	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	29
PID 2440 wrote to memory of 3012	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	29
PID 2440 wrote to memory of 3012	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	29
PID 3012 wrote to memory of 2476	3012	spolsvt.exe	30
PID 3012 wrote to memory of 2476	3012	spolsvt.exe	30
PID 3012 wrote to memory of 2476	3012	spolsvt.exe	30
PID 3012 wrote to memory of 2476	3012	spolsvt.exe	30
PID 3012 wrote to memory of 2476	3012	spolsvt.exe	30
PID 3012 wrote to memory of 2476	3012	spolsvt.exe	30
PID 3012 wrote to memory of 2476	3012	spolsvt.exe	30
PID 3012 wrote to memory of 2476	3012	spolsvt.exe	30
PID 3012 wrote to memory of 2476	3012	spolsvt.exe	30
PID 2440 wrote to memory of 2784	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	31
PID 2440 wrote to memory of 2784	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	31
PID 2440 wrote to memory of 2784	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	31
PID 2440 wrote to memory of 2784	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	31
PID 2440 wrote to memory of 2784	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	31
PID 2440 wrote to memory of 2784	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	31
PID 2440 wrote to memory of 2784	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	31
PID 2440 wrote to memory of 2784	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	31
PID 2440 wrote to memory of 2784	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	31
PID 2440 wrote to memory of 2784	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	31
PID 2784 wrote to memory of 1472	2784	spolsvt.exe	32
PID 2784 wrote to memory of 1472	2784	spolsvt.exe	32
PID 2784 wrote to memory of 1472	2784	spolsvt.exe	32
PID 2784 wrote to memory of 1472	2784	spolsvt.exe	32
PID 2784 wrote to memory of 1472	2784	spolsvt.exe	32
PID 2784 wrote to memory of 1472	2784	spolsvt.exe	32
PID 2784 wrote to memory of 1472	2784	spolsvt.exe	32
PID 2784 wrote to memory of 1472	2784	spolsvt.exe	32
PID 2784 wrote to memory of 1472	2784	spolsvt.exe	32
PID 2440 wrote to memory of 2024	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	35
PID 2440 wrote to memory of 2024	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	35
PID 2440 wrote to memory of 2024	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	35
PID 2440 wrote to memory of 2024	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	35
PID 2440 wrote to memory of 2024	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	35
PID 2440 wrote to memory of 2024	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	35
PID 2440 wrote to memory of 2024	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	35
PID 2440 wrote to memory of 2024	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	35
PID 2440 wrote to memory of 2024	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	35
PID 2440 wrote to memory of 2024	2440	4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe	35
PID 1816 wrote to memory of 2376	1816	PTvrst.exe	36
PID 1816 wrote to memory of 2376	1816	PTvrst.exe	36
PID 1816 wrote to memory of 2376	1816	PTvrst.exe	36
PID 1816 wrote to memory of 2376	1816	PTvrst.exe	36
PID 1816 wrote to memory of 2376	1816	PTvrst.exe	36
PID 1816 wrote to memory of 2376	1816	PTvrst.exe	36
PID 1816 wrote to memory of 2376	1816	PTvrst.exe	36
PID 1816 wrote to memory of 2376	1816	PTvrst.exe	36
PID 1816 wrote to memory of 2376	1816	PTvrst.exe	36
PID 1816 wrote to memory of 2376	1816	PTvrst.exe	36
PID 2024 wrote to memory of 1088	2024	spolsvt.exe	37
PID 2024 wrote to memory of 1088	2024	spolsvt.exe	37
PID 2024 wrote to memory of 1088	2024	spolsvt.exe	37
PID 2024 wrote to memory of 1088	2024	spolsvt.exe	37
PID 1816 wrote to memory of 2376	1816	PTvrst.exe	36
PID 2024 wrote to memory of 1088	2024	spolsvt.exe	37

C:\Users\Admin\AppData\Local\Temp\4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe
"C:\Users\Admin\AppData\Local\Temp\4776527f503f33a2854e1db14273a002a7ff8b50c47e49d83c98840add78ed38.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\DNomb\spolsvt.exe
  C:\Windows\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- C:\Windows\DNomb\spolsvt.exe
  C:\Windows\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- C:\Windows\DNomb\spolsvt.exe
  C:\Windows\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- C:\Windows\DNomb\spolsvt.exe
  C:\Windows\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:868
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- C:\Windows\DNomb\spolsvt.exe
  C:\Windows\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3020
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- C:\Windows\DNomb\spolsvt.exe
  C:\Windows\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2452
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1940

C:\Users\Public\Documents\123\PTvrst.exe
"C:\Users\Public\Documents\123\PTvrst.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816
- C:\WINDOWS\DNomb\spolsvt.exe
  C:\WINDOWS\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2376
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\yh.png

Filesize
93KB

MD5
766975a2dabf276ae2f819605c99826c

SHA1
9884170fb34adf01e68d2931b3848c84db9f26f9

SHA256
78d4cd14f316c4f5518d142c1c0c7832a00e0245a4a2d0f385e37d189a3f8fde

SHA512
a02b1722073dda81407a872a24391c65a88d17132e1d153c581a045cad9f1c7da5486c23187b13f8139b8dcff19697b86620eab20c6dbe8753f53a031be46795

Download Submit
C:\WINDOWS\DNomb\Mpec.mbt

Filesize
488KB

MD5
793a9e1af0d8ec51a80718bfb5b9c6fb

SHA1
a9a88c84f77ac34c1a44d354d8fe2f355f26eff8

SHA256
6bedd7c9108f3f1ae44b37aeb56caabfe32138120e66ab40a05bc3db8243b192

SHA512
8e987c5a9d4a326bae4fa912b8f71887f243be74d0fe1bb55e31202352739c99ec63020d739e52e5e8958fb8a9df5ed379c72b8a6ab0582cd0b0a2332ebf3a16

Download Submit
C:\WINDOWS\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
memory/1816-156-0x0000000077C40000-0x0000000077C42000-memory.dmp

Filesize
8KB

Download
memory/1816-231-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/1816-323-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/1816-205-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/1816-155-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/1816-220-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/1816-235-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/1816-181-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/1816-242-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/1816-227-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/1816-184-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/1816-224-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/1816-187-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/1816-189-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/1816-191-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/1816-217-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/1816-193-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/1816-195-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/1816-197-0x00000000042E0000-0x00000000042E2000-memory.dmp

Filesize
8KB

Download
memory/1816-214-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/1816-199-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/1816-201-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/1816-203-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/1816-210-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/2440-6-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2440-11-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2440-427-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/2440-31-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2440-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2440-151-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/2440-4-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/2440-29-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2440-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2440-14-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2440-1-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/2440-24-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2440-36-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2440-26-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2440-9-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2440-32-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2440-7-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2440-16-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2440-34-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2440-19-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2440-21-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2476-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2476-76-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2476-83-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2476-78-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3012-54-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3012-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3012-47-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3012-57-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3012-49-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3012-51-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3012-66-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3012-60-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download