35ecce484d7cc4dad1ac9436ad92922dd42c89f5ebfa8b739ff005de71f652f9

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d165c8bcb325241eb3e05c838ec2da5.exe
Size

646KB
MD5

3d165c8bcb325241eb3e05c838ec2da5
SHA1

54588ec7edfb46324f03d259778dee7830b4106d
SHA256

35ecce484d7cc4dad1ac9436ad92922dd42c89f5ebfa8b739ff005de71f652f9
SHA512

079ec0f0114a8882f17c0e54aab49f0b16b7a699a43fb3dafb7cee1250b01a7cee1130b0c878d3225f31d4f4a034427fcdffe56903fe93e625cb562cc9826b9f
SSDEEP

12288:k/dr9yql7Xk+mO0FKUDTtMi1NzW/DaRMvNXx265syu4MrZ:kl8qNUyUdMONUzeosyu4M

Score

10^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	bdhost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	g6NuH2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	haucu.exe

Disables taskbar notifications via registry modification
evasion

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
1520	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
2748	g6NuH2.exe
2744	haucu.exe
2732	adhost.exe
2220	adhost.exe
2356	bdhost.exe
1692	bdhost.exe
2036	bdhost.exe
2768	cdhost.exe
3016	ddhost.exe
336	csrss.exe

Loads dropped DLL 12 IoCs

pid	Process
2216	3d165c8bcb325241eb3e05c838ec2da5.exe
2216	3d165c8bcb325241eb3e05c838ec2da5.exe
2748	g6NuH2.exe
2748	g6NuH2.exe
2216	3d165c8bcb325241eb3e05c838ec2da5.exe
2216	3d165c8bcb325241eb3e05c838ec2da5.exe
2216	3d165c8bcb325241eb3e05c838ec2da5.exe
2216	3d165c8bcb325241eb3e05c838ec2da5.exe
2216	3d165c8bcb325241eb3e05c838ec2da5.exe
2216	3d165c8bcb325241eb3e05c838ec2da5.exe
2216	3d165c8bcb325241eb3e05c838ec2da5.exe
2216	3d165c8bcb325241eb3e05c838ec2da5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2216-2-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2216-3-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2216-5-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2216-11-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2216-12-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2216-13-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2216-50-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2356-85-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1692-99-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1692-98-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2356-106-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2036-178-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2356-185-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1692-253-0x0000000000570000-0x0000000000670000-memory.dmp	upx
behavioral1/memory/2216-321-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /k"	haucu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1B6.exe = "C:\\Program Files (x86)\\LP\\D3A7\\1B6.exe"	bdhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /P"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /d"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /p"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /w"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /K"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /o"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /J"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /L"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /m"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /V"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /j"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /T"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /e"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /S"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /g"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /A"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /Y"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /x"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /l"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /u"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /I"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /B"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /N"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /E"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /T"	g6NuH2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /R"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /v"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /y"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /G"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /W"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /b"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /H"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /i"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /M"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /t"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /r"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /Z"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /q"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /s"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /X"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /C"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /F"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /f"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /O"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /D"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /c"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /h"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /z"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /U"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /n"	haucu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\haucu = "C:\\Users\\Admin\\haucu.exe /a"	haucu.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 688 set thread context of 2216	688	3d165c8bcb325241eb3e05c838ec2da5.exe	28
PID 2732 set thread context of 2220	2732	adhost.exe	38
PID 2768 set thread context of 2676	2768	cdhost.exe	45

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\D3A7\1B6.exe	bdhost.exe
File opened for modification	C:\Program Files (x86)\LP\D3A7\1B6.exe	bdhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2580	tasklist.exe
2968	tasklist.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\registry\machine\Software\Classes\Interface\{717112e1-f980-f90b-05d8-7bcbd5430dc8}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{717112e1-f980-f90b-05d8-7bcbd5430dc8}\u = "860049491"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{717112e1-f980-f90b-05d8-7bcbd5430dc8}\cid = "5677861460599683308"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	g6NuH2.exe
2748	g6NuH2.exe
2744	haucu.exe
2744	haucu.exe
2744	haucu.exe
2744	haucu.exe
2744	haucu.exe
2744	haucu.exe
2744	haucu.exe
2744	haucu.exe
2744	haucu.exe
2744	haucu.exe
2220	adhost.exe
2744	haucu.exe
2744	haucu.exe
2744	haucu.exe
2744	haucu.exe
2744	haucu.exe
2220	adhost.exe
2744	haucu.exe
2744	haucu.exe
2744	haucu.exe
2220	adhost.exe
2744	haucu.exe
2220	adhost.exe
2220	adhost.exe
2744	haucu.exe
2744	haucu.exe
2744	haucu.exe
2220	adhost.exe
2744	haucu.exe
2220	adhost.exe
2744	haucu.exe
2220	adhost.exe
2744	haucu.exe
2744	haucu.exe
2220	adhost.exe
2744	haucu.exe
2220	adhost.exe
2220	adhost.exe
2744	haucu.exe
2220	adhost.exe
2220	adhost.exe
2744	haucu.exe
2744	haucu.exe
2220	adhost.exe
2220	adhost.exe
2744	haucu.exe
2220	adhost.exe
2744	haucu.exe
2744	haucu.exe
2220	adhost.exe
2220	adhost.exe
2220	adhost.exe
2744	haucu.exe
2220	adhost.exe
2744	haucu.exe
2220	adhost.exe
2744	haucu.exe
2744	haucu.exe
2220	adhost.exe
2220	adhost.exe
2220	adhost.exe
2744	haucu.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1724	explorer.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	tasklist.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeDebugPrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeDebugPrivilege	2968	tasklist.exe
Token: SeAssignPrimaryTokenPrivilege	840	svchost.exe
Token: SeIncreaseQuotaPrivilege	840	svchost.exe
Token: SeSecurityPrivilege	840	svchost.exe
Token: SeTakeOwnershipPrivilege	840	svchost.exe
Token: SeLoadDriverPrivilege	840	svchost.exe
Token: SeRestorePrivilege	840	svchost.exe
Token: SeSystemEnvironmentPrivilege	840	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	840	svchost.exe
Token: SeIncreaseQuotaPrivilege	840	svchost.exe
Token: SeSecurityPrivilege	840	svchost.exe
Token: SeTakeOwnershipPrivilege	840	svchost.exe
Token: SeLoadDriverPrivilege	840	svchost.exe
Token: SeSystemtimePrivilege	840	svchost.exe
Token: SeBackupPrivilege	840	svchost.exe
Token: SeRestorePrivilege	840	svchost.exe
Token: SeShutdownPrivilege	840	svchost.exe
Token: SeSystemEnvironmentPrivilege	840	svchost.exe
Token: SeUndockPrivilege	840	svchost.exe
Token: SeManageVolumePrivilege	840	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	840	svchost.exe
Token: SeIncreaseQuotaPrivilege	840	svchost.exe
Token: SeSecurityPrivilege	840	svchost.exe
Token: SeTakeOwnershipPrivilege	840	svchost.exe
Token: SeLoadDriverPrivilege	840	svchost.exe
Token: SeRestorePrivilege	840	svchost.exe
Token: SeSystemEnvironmentPrivilege	840	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	840	svchost.exe
Token: SeIncreaseQuotaPrivilege	840	svchost.exe
Token: SeSecurityPrivilege	840	svchost.exe
Token: SeTakeOwnershipPrivilege	840	svchost.exe
Token: SeLoadDriverPrivilege	840	svchost.exe
Token: SeRestorePrivilege	840	svchost.exe
Token: SeSystemEnvironmentPrivilege	840	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	840	svchost.exe
Token: SeIncreaseQuotaPrivilege	840	svchost.exe
Token: SeSecurityPrivilege	840	svchost.exe
Token: SeTakeOwnershipPrivilege	840	svchost.exe
Token: SeLoadDriverPrivilege	840	svchost.exe
Token: SeRestorePrivilege	840	svchost.exe
Token: SeSystemEnvironmentPrivilege	840	svchost.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2216	3d165c8bcb325241eb3e05c838ec2da5.exe
2748	g6NuH2.exe
2744	haucu.exe
3016	ddhost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 2216	688	3d165c8bcb325241eb3e05c838ec2da5.exe	28
PID 688 wrote to memory of 2216	688	3d165c8bcb325241eb3e05c838ec2da5.exe	28
PID 688 wrote to memory of 2216	688	3d165c8bcb325241eb3e05c838ec2da5.exe	28
PID 688 wrote to memory of 2216	688	3d165c8bcb325241eb3e05c838ec2da5.exe	28
PID 688 wrote to memory of 2216	688	3d165c8bcb325241eb3e05c838ec2da5.exe	28
PID 688 wrote to memory of 2216	688	3d165c8bcb325241eb3e05c838ec2da5.exe	28
PID 688 wrote to memory of 2216	688	3d165c8bcb325241eb3e05c838ec2da5.exe	28
PID 688 wrote to memory of 2216	688	3d165c8bcb325241eb3e05c838ec2da5.exe	28
PID 2216 wrote to memory of 2748	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	29
PID 2216 wrote to memory of 2748	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	29
PID 2216 wrote to memory of 2748	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	29
PID 2216 wrote to memory of 2748	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	29
PID 2748 wrote to memory of 2744	2748	g6NuH2.exe	30
PID 2748 wrote to memory of 2744	2748	g6NuH2.exe	30
PID 2748 wrote to memory of 2744	2748	g6NuH2.exe	30
PID 2748 wrote to memory of 2744	2748	g6NuH2.exe	30
PID 2216 wrote to memory of 2732	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	32
PID 2748 wrote to memory of 1632	2748	g6NuH2.exe	31
PID 2748 wrote to memory of 1632	2748	g6NuH2.exe	31
PID 2748 wrote to memory of 1632	2748	g6NuH2.exe	31
PID 2216 wrote to memory of 2732	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	32
PID 2748 wrote to memory of 1632	2748	g6NuH2.exe	31
PID 2216 wrote to memory of 2732	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	32
PID 2216 wrote to memory of 2732	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	32
PID 1632 wrote to memory of 2580	1632	cmd.exe	34
PID 1632 wrote to memory of 2580	1632	cmd.exe	34
PID 1632 wrote to memory of 2580	1632	cmd.exe	34
PID 1632 wrote to memory of 2580	1632	cmd.exe	34
PID 2744 wrote to memory of 2580	2744	haucu.exe	34
PID 2744 wrote to memory of 2580	2744	haucu.exe	34
PID 2732 wrote to memory of 2220	2732	adhost.exe	38
PID 2732 wrote to memory of 2220	2732	adhost.exe	38
PID 2732 wrote to memory of 2220	2732	adhost.exe	38
PID 2732 wrote to memory of 2220	2732	adhost.exe	38
PID 2732 wrote to memory of 2220	2732	adhost.exe	38
PID 2732 wrote to memory of 2220	2732	adhost.exe	38
PID 2732 wrote to memory of 2220	2732	adhost.exe	38
PID 2732 wrote to memory of 2220	2732	adhost.exe	38
PID 2732 wrote to memory of 2220	2732	adhost.exe	38
PID 2732 wrote to memory of 2220	2732	adhost.exe	38
PID 2732 wrote to memory of 2220	2732	adhost.exe	38
PID 2216 wrote to memory of 2356	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	39
PID 2216 wrote to memory of 2356	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	39
PID 2216 wrote to memory of 2356	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	39
PID 2216 wrote to memory of 2356	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	39
PID 2356 wrote to memory of 1692	2356	bdhost.exe	40
PID 2356 wrote to memory of 1692	2356	bdhost.exe	40
PID 2356 wrote to memory of 1692	2356	bdhost.exe	40
PID 2356 wrote to memory of 1692	2356	bdhost.exe	40
PID 2356 wrote to memory of 2036	2356	bdhost.exe	42
PID 2356 wrote to memory of 2036	2356	bdhost.exe	42
PID 2356 wrote to memory of 2036	2356	bdhost.exe	42
PID 2356 wrote to memory of 2036	2356	bdhost.exe	42
PID 2216 wrote to memory of 2768	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	44
PID 2216 wrote to memory of 2768	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	44
PID 2216 wrote to memory of 2768	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	44
PID 2216 wrote to memory of 2768	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	44
PID 2768 wrote to memory of 2676	2768	cdhost.exe	45
PID 2768 wrote to memory of 2676	2768	cdhost.exe	45
PID 2768 wrote to memory of 2676	2768	cdhost.exe	45
PID 2768 wrote to memory of 2676	2768	cdhost.exe	45
PID 2768 wrote to memory of 2676	2768	cdhost.exe	45
PID 2216 wrote to memory of 3016	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	47
PID 2216 wrote to memory of 3016	2216	3d165c8bcb325241eb3e05c838ec2da5.exe	47

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bdhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	bdhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:336

C:\Users\Admin\AppData\Local\Temp\3d165c8bcb325241eb3e05c838ec2da5.exe
"C:\Users\Admin\AppData\Local\Temp\3d165c8bcb325241eb3e05c838ec2da5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:688
- C:\Users\Admin\AppData\Local\Temp\3d165c8bcb325241eb3e05c838ec2da5.exe
  3d165c8bcb325241eb3e05c838ec2da5.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\g6NuH2.exe
    C:\Users\Admin\g6NuH2.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\haucu.exe
      "C:\Users\Admin\haucu.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del g6NuH2.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
- - C:\Users\Admin\adhost.exe
    C:\Users\Admin\adhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\adhost.exe
      adhost.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2220
- - C:\Users\Admin\bdhost.exe
    C:\Users\Admin\bdhost.exe
    3⤵
    - Modifies security service
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2356
  - - C:\Users\Admin\bdhost.exe
      C:\Users\Admin\bdhost.exe startC:\Users\Admin\AppData\Roaming\72DAB\37ED3.exe%C:\Users\Admin\AppData\Roaming\72DAB
      4⤵
      Executes dropped EXE
      PID:1692
  - - C:\Users\Admin\bdhost.exe
      C:\Users\Admin\bdhost.exe startC:\Program Files (x86)\ABD7C\lvvm.exe%C:\Program Files (x86)\ABD7C
      4⤵
      Executes dropped EXE
      PID:2036
- - C:\Users\Admin\cdhost.exe
    C:\Users\Admin\cdhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\explorer.exe
      00000054*
      4⤵
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:2676
- - C:\Users\Admin\ddhost.exe
    C:\Users\Admin\ddhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del 3d165c8bcb325241eb3e05c838ec2da5.exe
    3⤵
    - Deletes itself
    PID:1520
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2968

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\72DAB\BD7C.2DA

Filesize
600B

MD5
79ec51eeae70440cbe0496bc7d05a4d0

SHA1
bebde522f372ca765ed17ec4f53bd184e567b021

SHA256
4e811f9988d92beafdf08af493d007dcc382f0654e07b07c23c5243c4e942b15

SHA512
647808ca9093685765459ccadf44415cda8f2cc0e38be16e45a54cbceea3a786ad70b87f56782f398c4640e8d9b972e73c1f0a31161606f8a02c2023c774e088

Download Submit
C:\Users\Admin\AppData\Roaming\72DAB\BD7C.2DA

Filesize
996B

MD5
349eb32439d335e3fab181460344ed20

SHA1
023d67ed6970c04c0f4987e010ee5e4f23d6ac81

SHA256
80f8bffb0f02d4da70308a26c2e1e75ba48c1603db1654c9713de19ac6869f1f

SHA512
559a99d03b8a7862104c8129189837eda41e6bfcb712402731a9c0e989827f4e6f87231d729241a7145243eaee1b42c0f869c7f546ebc6bc3feeb93e0c77e746

Download Submit
C:\Users\Admin\AppData\Roaming\72DAB\BD7C.2DA

Filesize
1KB

MD5
1dd0c6697bde995bcfc9ae9663352aa0

SHA1
9dcd56c9223385613e6593d9295c0ffcf5f150be

SHA256
44f7edfab94787eae58f3bba00afa398003b185c62b40b4caaa13e44da2ee3f4

SHA512
cc4c3af0f9ad77163620ff17f2d7bc02201fb4af3b8ba6636dbf63c6051e74a8bce6983f08833dc42bebc6a04e89b59bdb75551b066a5dd441d7ac0c0513b12a

Download Submit
C:\Users\Admin\cdhost.exe

Filesize
118KB

MD5
4abe6afa1ff995b70ef6511c1f0567ae

SHA1
80935a41582e0fb168c37d2960dce974cab5f0ab

SHA256
fba532bcf20eaba48015c06e52efd121a46dffad4a293d47d1ccc6529e0beae8

SHA512
bd8521102317e02b91025d8f3b5976e3ea6a93b82d8ca76bc05f43ca845d92d1a206d1a2710c194a018504a1578004f154d83c26243ffa2336a19610ee51c565

Download Submit
C:\Windows\system32\consrv.DLL

Filesize
53KB

MD5
d3bd9c7e7a29daa24c66dc62cd5f5633

SHA1
3895247052b6244659e73334e6398677dafa0ac1

SHA256
6b87925d0e03ab5daa4760b1a62bed66c49cb489d011e2c9633eb0fe466df83f

SHA512
e243a2272887b02417b08b0d0728689c8f01cc57d473ed811ba98c2f5aa4d985d02d0fd7772bc33356474abcc815609ab7a6c0e905d6fe884fb7bc70bc67e9d0

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
31a34a0bf701d4634cabc6f89322b2e5

SHA1
0e5aaf9956cbc38047834ca51160f0aa939c0d8c

SHA256
27441643a4d0ab60d3e89fd4a00228eb6f9835304b43805eb46ec02cc2b75a9a

SHA512
3b873de1dee245a4ab428a49a3c79de8fc517ae718496e158324b81e478c6458bd290a9bb0b7e3cd90e681804dd77cca634be039b02bcbd8c52eda4a6d9ffa2c

Download Submit
\Users\Admin\adhost.exe

Filesize
172KB

MD5
36fa3dbb1702552896cc677b5bda52dc

SHA1
c87f2707913047dcd2a896896fe2905b08c33985

SHA256
e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74

SHA512
9ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53

Download Submit
\Users\Admin\bdhost.exe

Filesize
174KB

MD5
f3e286f3fc9467d3b9e56d41038b17d5

SHA1
3653c381586b01016a56de58d59300e431368162

SHA256
ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

SHA512
0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

Download Submit
\Users\Admin\ddhost.exe

Filesize
24KB

MD5
71aecf19a1aec54e3d2c63f945cc6956

SHA1
12213f95739e45881458a7bbb429a0b7b363ccbf

SHA256
c98cd0c456aa393a80d81d259dc8077edaf44d833e0691054291a9ba285f74cf

SHA512
a8634acb97730db9415fd5cb93cb23e1adea0d19c182cf3daf423a73d76dbf7cd3ae1829a3a24fefaab8ffa3fb5e3b93662559067590c7a6779ead71b8f145e4

Download Submit
\Users\Admin\g6NuH2.exe

Filesize
256KB

MD5
be8379280ac23f08b8b091e1bc345eae

SHA1
bb432b69277aec39e5566ec120d6fd8fe4e0097b

SHA256
caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

SHA512
d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

Download Submit
\Users\Admin\haucu.exe

Filesize
256KB

MD5
3e9daa2216999fd702ac81262464fa82

SHA1
4dcf84c57ad7c89bf96d5ead9776ada7e2b1958f

SHA256
c766c3cb9a1c226d6eb1a24d46ee0d0c405530bd18613f4bd9610ecef0f22d1a

SHA512
c7b6adc26039fa9a92e676c607f39ada13f36eb5d6f46c7aac97846db910fa86795f98df7e3c5b1a94d62f898832c13ee25753f889a0fc932b836b52f1d0291e

Download Submit
memory/336-306-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/688-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/840-389-0x00000000001F0000-0x00000000001FB000-memory.dmp

Filesize
44KB

Download
memory/840-376-0x00000000001F0000-0x00000000001FB000-memory.dmp

Filesize
44KB

Download
memory/840-375-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1692-99-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1692-98-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1692-253-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1692-100-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1724-318-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/1724-309-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/2036-178-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2036-179-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2216-50-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2216-270-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download
memory/2216-268-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download
memory/2216-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-11-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2216-12-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2216-5-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2216-3-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2216-13-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2216-0-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2216-321-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2216-2-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2220-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2220-56-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2220-75-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2220-76-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2220-52-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2220-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2220-65-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2220-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2220-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2356-186-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/2356-85-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2356-86-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/2356-106-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2356-185-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2676-277-0x0000000000060000-0x0000000000076000-memory.dmp

Filesize
88KB

Download
memory/2676-275-0x00000000002F0000-0x0000000000309000-memory.dmp

Filesize
100KB

Download
memory/2732-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-42-0x00000000030F0000-0x0000000003BAA000-memory.dmp

Filesize
10.7MB

Download
memory/2768-279-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2768-280-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2768-274-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2768-272-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2768-271-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2768-269-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download