f00e4480a92e46fa7a38dcd06c03ba54ddbe61b0edbe5ac303c0eed6453b0f41

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dde0ef221978abe0a4dc088dc5dde52.exe
Size

53KB
MD5

6dde0ef221978abe0a4dc088dc5dde52
SHA1

cdbe09c9922f34c1f77d29abdf2e83c7704afef7
SHA256

f00e4480a92e46fa7a38dcd06c03ba54ddbe61b0edbe5ac303c0eed6453b0f41
SHA512

3e17623cb8efbf312f0e480136a27aeefb7d6e87f66c91269296a0b9a38c1f4e06e7019d87570f732524fb7961c8c29e374fc1ee6e404e67ceaf18dcfb3664e4
SSDEEP

1536:Yk8s7JfjsCwzvEymEWc94qxdRHdno858c5Fgs0:YkTJfjsCw7FWujxDdnE

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4316027.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4316027.exe\""	qm4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6316022.exe"	6dde0ef221978abe0a4dc088dc5dde52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6316022.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6316022.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6316022.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6316022.exe"	qm4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6316022.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4316027.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6316022.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4316027.exe\""	m4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4316027.exe\""	6dde0ef221978abe0a4dc088dc5dde52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4316027.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4316027.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6316022.exe"	m4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4316027.exe\""	smss.exe

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	qm4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	m4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6dde0ef221978abe0a4dc088dc5dde52.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qm4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	m4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6dde0ef221978abe0a4dc088dc5dde52.exe

Adds policy Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N5028c = "\"C:\\Windows\\_default31602.pif\""	6dde0ef221978abe0a4dc088dc5dde52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N5028c = "\"C:\\Windows\\_default31602.pif\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	m4623.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	6dde0ef221978abe0a4dc088dc5dde52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N5028c = "\"C:\\Windows\\_default31602.pif\""	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N5028c = "\"C:\\Windows\\_default31602.pif\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N5028c = "\"C:\\Windows\\_default31602.pif\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N5028c = "\"C:\\Windows\\_default31602.pif\""	m4623.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	6dde0ef221978abe0a4dc088dc5dde52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	qm4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N5028c = "\"C:\\Windows\\_default31602.pif\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N5028c = "\"C:\\Windows\\_default31602.pif\""	qm4623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	6dde0ef221978abe0a4dc088dc5dde52.exe

Disables RegEdit via registry modification 8 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	qm4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	m4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6dde0ef221978abe0a4dc088dc5dde52.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	csrss.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	6dde0ef221978abe0a4dc088dc5dde52.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 7 IoCs

pid	Process
2424	smss.exe
1700	winlogon.exe
2432	services.exe
1328	csrss.exe
3852	lsass.exe
4312	qm4623.exe
4444	m4623.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	6dde0ef221978abe0a4dc088dc5dde52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N5028c = "\"C:\\Windows\\j6316022.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	qm4623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	m4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N5028c = "\"C:\\Windows\\j6316022.exe\""	6dde0ef221978abe0a4dc088dc5dde52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N5028c = "\"C:\\Windows\\j6316022.exe\""	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N5028c = "\"C:\\Windows\\j6316022.exe\""	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N5028c = "\"C:\\Windows\\j6316022.exe\""	m4623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N5028c = "\"C:\\Windows\\j6316022.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N5028c = "\"C:\\Windows\\j6316022.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N5028c = "\"C:\\Windows\\j6316022.exe\""	qm4623.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\s4827\winlogon.exe	smss.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	m4623.exe
File created	C:\Windows\SysWOW64\c_31602k.com	6dde0ef221978abe0a4dc088dc5dde52.exe
File opened for modification	C:\Windows\SysWOW64\s4827\csrss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	qm4623.exe
File created	C:\Windows\SysWOW64\s4827\zh59927084y.exe	m4623.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827	lsass.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	lsass.exe
File created	C:\Windows\SysWOW64\s4827\zh59927084y.exe	qm4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827	6dde0ef221978abe0a4dc088dc5dde52.exe
File opened for modification	C:\Windows\SysWOW64\c_31602k.com	smss.exe
File opened for modification	C:\Windows\SysWOW64\c_31602k.com	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827	m4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827\domlist.txt	lsass.exe
File created	C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	qm4623.exe
File created	C:\Windows\SysWOW64\s4827\zh59927084y.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	csrss.exe
File created	C:\Windows\SysWOW64\c_31602k.com	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	6dde0ef221978abe0a4dc088dc5dde52.exe
File opened for modification	C:\Windows\SysWOW64\c_31602k.com	qm4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	m4623.exe
File opened for modification	C:\Windows\SysWOW64\c_31602k.com	m4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\c_31602k.com	csrss.exe
File created	C:\Windows\SysWOW64\s4827\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\s4827	csrss.exe
File created	C:\Windows\SysWOW64\c_31602k.com	qm4623.exe
File created	C:\Windows\SysWOW64\s4827\zh59927084y.exe	6dde0ef221978abe0a4dc088dc5dde52.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827	qm4623.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\s4827\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	services.exe
File created	C:\Windows\SysWOW64\s4827\m4623.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	qm4623.exe
File created	C:\Windows\SysWOW64\s4827\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\c_31602k.com	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	csrss.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	6dde0ef221978abe0a4dc088dc5dde52.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827	services.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	m4623.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	qm4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	6dde0ef221978abe0a4dc088dc5dde52.exe
File opened for modification	C:\Windows\SysWOW64\c_31602k.com	6dde0ef221978abe0a4dc088dc5dde52.exe
File opened for modification	C:\Windows\SysWOW64\s4827\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\s4827\c.bron.tok.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\c_31602k.com	services.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	m4623.exe
File created	C:\Windows\SysWOW64\c_31602k.com	m4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	6dde0ef221978abe0a4dc088dc5dde52.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe

Drops file in Windows directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\o4316027.exe	winlogon.exe
File opened for modification	C:\Windows\_default31602.pif	qm4623.exe
File created	C:\Windows\o4316027.exe	m4623.exe
File created	C:\Windows\j6316022.exe	winlogon.exe
File opened for modification	C:\Windows\j6316022.exe	m4623.exe
File created	C:\Windows\o4316027.exe	winlogon.exe
File created	C:\Windows\_default31602.pif	qm4623.exe
File opened for modification	C:\Windows\o4316027.exe	6dde0ef221978abe0a4dc088dc5dde52.exe
File created	C:\Windows\o4316027.exe	6dde0ef221978abe0a4dc088dc5dde52.exe
File opened for modification	C:\Windows\_default31602.pif	smss.exe
File opened for modification	C:\Windows\j6316022.exe	winlogon.exe
File opened for modification	C:\Windows\j6316022.exe	services.exe
File opened for modification	C:\Windows\_default31602.pif	lsass.exe
File created	C:\Windows\_default31602.pif	winlogon.exe
File opened for modification	C:\Windows\j6316022.exe	smss.exe
File opened for modification	C:\Windows\_default31602.pif	winlogon.exe
File opened for modification	C:\Windows\_default31602.pif	services.exe
File opened for modification	C:\Windows\j6316022.exe	csrss.exe
File opened for modification	C:\Windows\o4316027.exe	qm4623.exe
File opened for modification	C:\Windows\o4316027.exe	services.exe
File created	C:\Windows\Ad10218\qm4623.exe	winlogon.exe
File created	C:\Windows\o4316027.exe	qm4623.exe
File created	C:\Windows\j6316022.exe	qm4623.exe
File created	C:\Windows\j6316022.exe	6dde0ef221978abe0a4dc088dc5dde52.exe
File opened for modification	C:\Windows\o4316027.exe	smss.exe
File opened for modification	C:\Windows\Ad10218\qm4623.exe	winlogon.exe
File opened for modification	C:\Windows\_default31602.pif	m4623.exe
File created	C:\Windows\j6316022.exe	m4623.exe
File opened for modification	C:\Windows\j6316022.exe	6dde0ef221978abe0a4dc088dc5dde52.exe
File created	C:\Windows\_default31602.pif	6dde0ef221978abe0a4dc088dc5dde52.exe
File opened for modification	C:\Windows\j6316022.exe	qm4623.exe
File opened for modification	C:\Windows\_default31602.pif	csrss.exe
File created	C:\Windows\_default31602.pif	m4623.exe
File opened for modification	C:\Windows\Ad10218	winlogon.exe
File opened for modification	C:\Windows\j6316022.exe	lsass.exe
File opened for modification	C:\Windows\o4316027.exe	lsass.exe
File opened for modification	C:\Windows\_default31602.pif	6dde0ef221978abe0a4dc088dc5dde52.exe
File opened for modification	C:\Windows\o4316027.exe	csrss.exe
File opened for modification	C:\Windows\o4316027.exe	m4623.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
4840	net.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6dde0ef221978abe0a4dc088dc5dde52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	smss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe
1700	winlogon.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2424	1068	6dde0ef221978abe0a4dc088dc5dde52.exe	95
PID 1068 wrote to memory of 2424	1068	6dde0ef221978abe0a4dc088dc5dde52.exe	95
PID 1068 wrote to memory of 2424	1068	6dde0ef221978abe0a4dc088dc5dde52.exe	95
PID 2424 wrote to memory of 1700	2424	smss.exe	98
PID 2424 wrote to memory of 1700	2424	smss.exe	98
PID 2424 wrote to memory of 1700	2424	smss.exe	98
PID 1700 wrote to memory of 2432	1700	winlogon.exe	100
PID 1700 wrote to memory of 2432	1700	winlogon.exe	100
PID 1700 wrote to memory of 2432	1700	winlogon.exe	100
PID 1700 wrote to memory of 1328	1700	winlogon.exe	114
PID 1700 wrote to memory of 1328	1700	winlogon.exe	114
PID 1700 wrote to memory of 1328	1700	winlogon.exe	114
PID 1700 wrote to memory of 3852	1700	winlogon.exe	113
PID 1700 wrote to memory of 3852	1700	winlogon.exe	113
PID 1700 wrote to memory of 3852	1700	winlogon.exe	113
PID 1700 wrote to memory of 4312	1700	winlogon.exe	111
PID 1700 wrote to memory of 4312	1700	winlogon.exe	111
PID 1700 wrote to memory of 4312	1700	winlogon.exe	111
PID 1700 wrote to memory of 4444	1700	winlogon.exe	103
PID 1700 wrote to memory of 4444	1700	winlogon.exe	103
PID 1700 wrote to memory of 4444	1700	winlogon.exe	103
PID 1700 wrote to memory of 3212	1700	winlogon.exe	106
PID 1700 wrote to memory of 3212	1700	winlogon.exe	106
PID 1700 wrote to memory of 3212	1700	winlogon.exe	106
PID 1700 wrote to memory of 1444	1700	winlogon.exe	117
PID 1700 wrote to memory of 1444	1700	winlogon.exe	117
PID 1700 wrote to memory of 1444	1700	winlogon.exe	117
PID 1700 wrote to memory of 4560	1700	winlogon.exe	119
PID 1700 wrote to memory of 4560	1700	winlogon.exe	119
PID 1700 wrote to memory of 4560	1700	winlogon.exe	119
PID 3852 wrote to memory of 4676	3852	lsass.exe	125
PID 3852 wrote to memory of 4676	3852	lsass.exe	125
PID 3852 wrote to memory of 4676	3852	lsass.exe	125
PID 4676 wrote to memory of 4840	4676	cmd.exe	127
PID 4676 wrote to memory of 4840	4676	cmd.exe	127
PID 4676 wrote to memory of 4840	4676	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\6dde0ef221978abe0a4dc088dc5dde52.exe
"C:\Users\Admin\AppData\Local\Temp\6dde0ef221978abe0a4dc088dc5dde52.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\SysWOW64\s4827\smss.exe
  "C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\s4827\winlogon.exe
    "C:\Windows\system32\s4827\winlogon.exe" ~Brontok~Is~The~Best~
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\s4827\services.exe
      "C:\Windows\system32\s4827\services.exe" ~Brontok~Serv~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:2432
  - - C:\Windows\SysWOW64\s4827\m4623.exe
      "C:\Windows\system32\s4827\m4623.exe" ~Brontok~Back~Log~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:4444
  - - C:\Windows\SysWOW64\at.exe
      "C:\Windows\System32\at.exe" /delete /y
      4⤵
      PID:3212
  - - C:\Windows\Ad10218\qm4623.exe
      "C:\Windows\Ad10218\qm4623.exe" ~Brontok~Back~Log~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:4312
  - - C:\Windows\SysWOW64\s4827\lsass.exe
      "C:\Windows\system32\s4827\lsass.exe" ~Brontok~Network~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c net view /domain > "C:\Windows\system32\s4827\domlist.txt"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - C:\Windows\SysWOW64\net.exe
        
        net view /domain
        6⤵
        Discovers systems in the same network
        
        PID:4840
  - - C:\Windows\SysWOW64\s4827\csrss.exe
      "C:\Windows\system32\s4827\csrss.exe" ~Brontok~SpreadMail~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:1328
  - - C:\Windows\SysWOW64\at.exe
      "C:\Windows\System32\at.exe" 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\at.exe
      "C:\Windows\System32\at.exe" 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"
      4⤵
      PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\c_31602k.com

Filesize
4KB

MD5
9e53d7cd352d4b8b574ca07e3442c48c

SHA1
436e6d7c281544df5517c4e776dfd8ffb2c4ee74

SHA256
751c348d0d1e470fb2ae94cc90b1b92537115d3ba6c1a9176729864cad08808b

SHA512
20bf4593bd385afbd32b65b9197ea7647167b352ab37335e2d93f4522c78f641c1c91136a2e33179f98536ad645b7c3132aff5ed3c042b73247d4e6db3045efc

Download Submit
C:\Windows\SysWOW64\s4827\smss.exe

Filesize
53KB

MD5
6dde0ef221978abe0a4dc088dc5dde52

SHA1
cdbe09c9922f34c1f77d29abdf2e83c7704afef7

SHA256
f00e4480a92e46fa7a38dcd06c03ba54ddbe61b0edbe5ac303c0eed6453b0f41

SHA512
3e17623cb8efbf312f0e480136a27aeefb7d6e87f66c91269296a0b9a38c1f4e06e7019d87570f732524fb7961c8c29e374fc1ee6e404e67ceaf18dcfb3664e4

Download Submit
memory/1068-14-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/1068-47-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/1068-0-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/1328-418-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/1700-1133-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/1700-1403-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/1700-377-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/1700-1263-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/1700-1020-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/1700-889-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/1700-520-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/1700-780-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/1700-667-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/1700-579-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/2424-166-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/2432-599-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/2432-1060-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/2432-1165-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/2432-378-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/2432-668-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/2432-1265-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/2432-1440-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/2432-917-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/2432-781-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/3852-419-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4312-817-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4312-1306-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4312-1443-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4312-566-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4312-920-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4312-671-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4312-420-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4312-603-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4312-1063-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4312-568-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4312-1170-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4444-672-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4444-1171-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4444-1064-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4444-921-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4444-818-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4444-1307-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4444-604-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4444-567-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download
memory/4444-421-0x0000000000400000-0x0000000000420040-memory.dmp

Filesize
128KB

Download