e42b38f6ff18a062ec1311226207cb52c72055325bc8d38459a8ab08c5246991

Analysis

max time kernel
146s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4241a9d1c5c43ec5db4c6fe23935db29.exe
Size

920KB
MD5

4241a9d1c5c43ec5db4c6fe23935db29
SHA1

9da6d0a308f3fb35e5b4addedf1682cc3c4db758
SHA256

e42b38f6ff18a062ec1311226207cb52c72055325bc8d38459a8ab08c5246991
SHA512

5160cbdbd2109f7efd4da0936e9077eb14f0399f505d14e15c12f67e9ff5404f381a309a48b644d69d1f033858d3663319a68210e032496da228c62b1b939d31
SSDEEP

24576:DeFDHYvmR3wIJS7kF6lDJqLGT4RSskAUFOJwYAbkybo6S:yFbR147kQlDJqDdUhYAgyboT

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\npf.sys	4241a9d1c5c43ec5db4c6fe23935db29.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	4241a9d1c5c43ec5db4c6fe23935db29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4241a9d1c5c43ec5db4c6fe23935db29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe

Executes dropped EXE 9 IoCs

pid	Process
3000	svehost.exe
2568	svehost.exe
1648	svehost.exe
1112	svehost.exe
1188	svehost.exe
2968	svehost.exe
2724	svehost.exe
2476	svehost.exe
1124	svehost.exe

Loads dropped DLL 58 IoCs

pid	Process
2336	4241a9d1c5c43ec5db4c6fe23935db29.exe
2336	4241a9d1c5c43ec5db4c6fe23935db29.exe
2336	4241a9d1c5c43ec5db4c6fe23935db29.exe
2336	4241a9d1c5c43ec5db4c6fe23935db29.exe
2336	4241a9d1c5c43ec5db4c6fe23935db29.exe
2336	4241a9d1c5c43ec5db4c6fe23935db29.exe
3000	svehost.exe
3000	svehost.exe
3000	svehost.exe
3000	svehost.exe
3000	svehost.exe
3000	svehost.exe
2568	svehost.exe
2568	svehost.exe
2568	svehost.exe
2568	svehost.exe
2568	svehost.exe
2568	svehost.exe
1648	svehost.exe
1648	svehost.exe
1648	svehost.exe
1648	svehost.exe
1648	svehost.exe
1648	svehost.exe
1112	svehost.exe
1112	svehost.exe
1112	svehost.exe
1112	svehost.exe
1112	svehost.exe
1112	svehost.exe
1188	svehost.exe
1188	svehost.exe
1188	svehost.exe
1188	svehost.exe
1188	svehost.exe
1188	svehost.exe
2968	svehost.exe
2968	svehost.exe
2968	svehost.exe
2968	svehost.exe
2968	svehost.exe
2968	svehost.exe
2724	svehost.exe
2724	svehost.exe
2724	svehost.exe
2724	svehost.exe
2724	svehost.exe
2724	svehost.exe
2476	svehost.exe
2476	svehost.exe
2476	svehost.exe
2476	svehost.exe
2476	svehost.exe
2476	svehost.exe
1124	svehost.exe
1124	svehost.exe
1124	svehost.exe
1124	svehost.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	4241a9d1c5c43ec5db4c6fe23935db29.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	4241a9d1c5c43ec5db4c6fe23935db29.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	4241a9d1c5c43ec5db4c6fe23935db29.exe
File created	C:\Windows\SysWOW64\packet.dll	4241a9d1c5c43ec5db4c6fe23935db29.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]vA`Fkb{R]O~__q`Yrf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "oGdHhbcHJRYep"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\XytpeVdqE = "_uymAeOBzQJYk_OjsWA[IjyIBg"	svehost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}	4241a9d1c5c43ec5db4c6fe23935db29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\vlTspQ = "CVCKjYXeW\x7ffNRWK@rkqz"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]\|A`Fkb{RWO~__q`XHf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]{A`Fkb{RPO~__q`Xvf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\InprocServer32\ = "C:\\PROGRA~2\\COMMON~1\\MICROS~1\\OFFICE14\\MSO.DLL"	4241a9d1c5c43ec5db4c6fe23935db29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]wA`Fkb{R\\O~__q`Yaf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "n_dHhbckSdF]@"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]xA`Fkb{RSO~__q`Xef[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "nWdHhbcXRlJ_P"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]yA`Fkb{RRO~__q`YCf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\XytpeVdqE = "_uymAeOBzQJYk_OjsWA[IjyIBg"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "o\x7fdHhbccXg[T`"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\htTnjdtTxh = "iFwvcALYF\\WXJBKT_MIn{tmcW\|yY_Z"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\ = "Microsoft Office 14"	4241a9d1c5c43ec5db4c6fe23935db29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\Ycrgkqcw = "SBNoo\x7fmSrbV]{sqCkEIGUKxGubR}SA\x7f"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]wA`Fkb{R\\O~__q`Yaf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\XytpeVdqE = "_uymAeOBzQJYk_OjsWA[IjyIBg"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\htTnjdtTxh = "iFwvcALYF\\WXJBKT_MIn{tmcW\|yY_Z"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]xA`Fkb{RSO~__q`YTf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\vlTspQ = "CVCKjYXeW\x7ffNRWK@rkqz"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "l_dHhbcflwmO`"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\XytpeVdqE = "_uymAeOBzQJYk_OjsWA[IjyIBg"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\vlTspQ = "CVCKjYXeW\x7ffNRWK@rkqz"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\htTnjdtTxh = "iFwvcALYF\\WXJBKT_MIn{tmcW\|yY_Z"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]zA`Fkb{RQO~__q`XGf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "o_dHhbc`EGYF@"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "ogdHhbcKWr[wP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\Ycrgkqcw = "SBNoo\x7fmSrbV]{sqCkEIGUKxGubR}SA\x7f"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\Ycrgkqcw = "SBNoo\x7fmSrbV]{sqCkEIGUKxGubR}SA\x7f"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]}A`Fkb{RVO~__q`XHf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\vlTspQ = "CVCKjYXeW\x7ffNRWK@rkqz"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]wA`Fkb{R\\O~__q`Yrf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "lOdHhbcUOmniP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\XytpeVdqE = "_uymAeOBzQJYk_OjsWA[IjyIBg"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\htTnjdtTxh = "iFwvcALYF\\WXJBKT_MIn{tmcW\|yY_Z"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "nsdHhbcMMmIt`"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]xA`Fkb{RSO~__q`YTf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\htTnjdtTxh = "iFwvcALYF\\WXJBKT_MIn{tmcW\|yY_Z"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]\|A`Fkb{RWO~__q`XHf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]zA`Fkb{RQO~__q`Xvf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\XytpeVdqE = "_uymAeOBzQJYk_OjsWA[IjyIBg"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "okdHhbcOo@Qfp"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\Ycrgkqcw = "SBNoo\x7fmSrbV]{sqCkEIGUKxGubR}SA\x7f"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "nkdHhbclKqZ\x7fp"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "owdHhbcUqr\\_@"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "lKdHhbc@COmWp"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\XytpeVdqE = "_uymAeOBzQJYk_OjsWA[IjyIBg"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\vlTspQ = "CVCKjYXeW\x7ffNRWK@rkqz"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\Ycrgkqcw = "SBNoo\x7fmSrbV]{sqCkEIGUKxGubR}SA\x7f"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\htTnjdtTxh = "iFwvcALYF\\WXJBKT_MIn{tmcW\|yY_Z"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "ncdHhbcM@yyP`"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "nwdHhbcIHl\|B@"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\Ycrgkqcw = "SBNoo\x7fmSrbV]{sqCkEIGUKxGubR}SA\x7f"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\htTnjdtTxh = "iFwvcALYF\\WXJBKT_MIn{tmcW\|yY_Z"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]{A`Fkb{RPO~__q`Xef[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\vlTspQ = "CVCKjYXeW\x7ffNRWK@rkqz"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]}A`Fkb{RVO~__q`XGf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "oKdHhbc]xnLz`"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "oodHhbccmeqi`"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\xLEFwCnbsix = "LeYVZ]vA`Fkb{R]O~__q`YCf[dBMU}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{900BFB9B-2F48-E1FD-D9B1-5403CA3962EB}\imKg = "lKdHhbc@COmWp"	svehost.exe

NTFS ADS 10 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:5D10C173	svehost.exe
File opened for modification	C:\ProgramData\TEMP:5D10C173	svehost.exe
File opened for modification	C:\ProgramData\TEMP:5D10C173	svehost.exe
File opened for modification	C:\ProgramData\TEMP:5D10C173	svehost.exe
File opened for modification	C:\ProgramData\TEMP:5D10C173	svehost.exe
File opened for modification	C:\ProgramData\TEMP:5D10C173	svehost.exe
File opened for modification	C:\ProgramData\TEMP:5D10C173	svehost.exe
File created	C:\ProgramData\TEMP:5D10C173	svehost.exe
File opened for modification	C:\ProgramData\TEMP:5D10C173	svehost.exe
File opened for modification	C:\ProgramData\TEMP:5D10C173	svehost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: 33	2336	4241a9d1c5c43ec5db4c6fe23935db29.exe
Token: SeIncBasePriorityPrivilege	2336	4241a9d1c5c43ec5db4c6fe23935db29.exe
Token: 33	3000	svehost.exe
Token: SeIncBasePriorityPrivilege	3000	svehost.exe
Token: 33	2568	svehost.exe
Token: SeIncBasePriorityPrivilege	2568	svehost.exe
Token: 33	1648	svehost.exe
Token: SeIncBasePriorityPrivilege	1648	svehost.exe
Token: 33	1112	svehost.exe
Token: SeIncBasePriorityPrivilege	1112	svehost.exe
Token: 33	1188	svehost.exe
Token: SeIncBasePriorityPrivilege	1188	svehost.exe
Token: 33	2968	svehost.exe
Token: SeIncBasePriorityPrivilege	2968	svehost.exe
Token: 33	2724	svehost.exe
Token: SeIncBasePriorityPrivilege	2724	svehost.exe
Token: 33	2476	svehost.exe
Token: SeIncBasePriorityPrivilege	2476	svehost.exe
Token: 33	1124	svehost.exe
Token: SeIncBasePriorityPrivilege	1124	svehost.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 3000	2336	4241a9d1c5c43ec5db4c6fe23935db29.exe	28
PID 2336 wrote to memory of 3000	2336	4241a9d1c5c43ec5db4c6fe23935db29.exe	28
PID 2336 wrote to memory of 3000	2336	4241a9d1c5c43ec5db4c6fe23935db29.exe	28
PID 2336 wrote to memory of 3000	2336	4241a9d1c5c43ec5db4c6fe23935db29.exe	28
PID 3000 wrote to memory of 2568	3000	svehost.exe	29
PID 3000 wrote to memory of 2568	3000	svehost.exe	29
PID 3000 wrote to memory of 2568	3000	svehost.exe	29
PID 3000 wrote to memory of 2568	3000	svehost.exe	29
PID 2568 wrote to memory of 1648	2568	svehost.exe	32
PID 2568 wrote to memory of 1648	2568	svehost.exe	32
PID 2568 wrote to memory of 1648	2568	svehost.exe	32
PID 2568 wrote to memory of 1648	2568	svehost.exe	32
PID 1648 wrote to memory of 1112	1648	svehost.exe	33
PID 1648 wrote to memory of 1112	1648	svehost.exe	33
PID 1648 wrote to memory of 1112	1648	svehost.exe	33
PID 1648 wrote to memory of 1112	1648	svehost.exe	33
PID 1112 wrote to memory of 1188	1112	svehost.exe	34
PID 1112 wrote to memory of 1188	1112	svehost.exe	34
PID 1112 wrote to memory of 1188	1112	svehost.exe	34
PID 1112 wrote to memory of 1188	1112	svehost.exe	34
PID 1188 wrote to memory of 2968	1188	svehost.exe	35
PID 1188 wrote to memory of 2968	1188	svehost.exe	35
PID 1188 wrote to memory of 2968	1188	svehost.exe	35
PID 1188 wrote to memory of 2968	1188	svehost.exe	35
PID 2968 wrote to memory of 2724	2968	svehost.exe	36
PID 2968 wrote to memory of 2724	2968	svehost.exe	36
PID 2968 wrote to memory of 2724	2968	svehost.exe	36
PID 2968 wrote to memory of 2724	2968	svehost.exe	36
PID 2724 wrote to memory of 2476	2724	svehost.exe	37
PID 2724 wrote to memory of 2476	2724	svehost.exe	37
PID 2724 wrote to memory of 2476	2724	svehost.exe	37
PID 2724 wrote to memory of 2476	2724	svehost.exe	37
PID 2476 wrote to memory of 1124	2476	svehost.exe	38
PID 2476 wrote to memory of 1124	2476	svehost.exe	38
PID 2476 wrote to memory of 1124	2476	svehost.exe	38
PID 2476 wrote to memory of 1124	2476	svehost.exe	38

C:\Users\Admin\AppData\Local\Temp\4241a9d1c5c43ec5db4c6fe23935db29.exe
"C:\Users\Admin\AppData\Local\Temp\4241a9d1c5c43ec5db4c6fe23935db29.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\svehost.exe
  C:\Windows\system32\svehost.exe 744 "C:\Users\Admin\AppData\Local\Temp\4241a9d1c5c43ec5db4c6fe23935db29.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\svehost.exe
    C:\Windows\system32\svehost.exe 756 "C:\Windows\SysWOW64\svehost.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\svehost.exe
      C:\Windows\system32\svehost.exe 752 "C:\Windows\SysWOW64\svehost.exe"
      4⤵
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 768 "C:\Windows\SysWOW64\svehost.exe"
        5⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1112
      - C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 760 "C:\Windows\SysWOW64\svehost.exe"
        6⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 772 "C:\Windows\SysWOW64\svehost.exe"
        7⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 764 "C:\Windows\SysWOW64\svehost.exe"
        8⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 780 "C:\Windows\SysWOW64\svehost.exe"
        9⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 788 "C:\Windows\SysWOW64\svehost.exe"
        10⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:5D10C173

Filesize
111B

MD5
4f20135f8234e1ee8542ddfdd1411431

SHA1
cf752b44921e30e24038bbe493d0fd761863e241

SHA256
18755124efb875176ba416ed59f2d5a51cab6c844d734de783b59b7faad2ef0c

SHA512
9318c8f167af479b39309c142ed3c94f61e1236ae78d57c86c79bb6f7ada2f0d8ae65c382bdcd236ef336d5535d7cd4d45b1713b03d535444262be3516494c4f

Download Submit
C:\ProgramData\TEMP:5D10C173

Filesize
111B

MD5
bde9302c73be23fdfccc36b870cf13a0

SHA1
5c880afc599b4ed59e6ec8ba7548a2eb94e8f131

SHA256
511003d6c15faa19948e7b38591724f8be2d70af9934d8af7e6143884ba15bb6

SHA512
7c46050b689b1797f054bf74711e9977e1bb1d9064a328eb1c32ba99f7fa5510fd8b9ab7a00a394541f4aac59bad207087b1643a87b5deade3a37a952d101fe3

Download Submit
C:\ProgramData\TEMP:5D10C173

Filesize
111B

MD5
fa7115b1a7f4f6568ae0942e65b532cb

SHA1
a0b1582eb0311a488e2523f5c9a21e53088e8285

SHA256
cabc8db3dd386a833f000fc54bdc4e6773637502cb51568e48f9f1fe84de08f7

SHA512
a6867525968fc34aa1814dd67f0682ad590ab38852974799e904d7901451765350d2fa181c76d1ffead3e903c572be8b9f13d53f51b2e0a262fe4939873fbe15

Download Submit
C:\ProgramData\TEMP:5D10C173

Filesize
111B

MD5
e6032b33fa4001aa74feac6794c520e2

SHA1
7dd2f45ff19175e830faedc6ff2f4fb207168ffc

SHA256
6198d1e8d365539630dbce85d84dc9d34ffe076170582480f3f2711426c65132

SHA512
49ffa5af5e7513a0e33f49bd645f85fb6fe716367d7bbacc6784e03518578ed131187024b827da931e49b1945b4ac207fa04c7a2a6742d3d12ff32a57ed8b4c7

Download Submit
C:\ProgramData\TEMP:5D10C173

Filesize
111B

MD5
385b538014c2037430e00417f8b40d70

SHA1
2f7f35354a01139e786346e8075872a870fbf2e6

SHA256
b56b8502559c069bc7e92182a1b8358cc1047830bf2614421d99c39a230a8c84

SHA512
2a3df005087a7ae509b9152e3b6706c97971bb777ced39f5861f91a72b698087d7f49fdd0f129359b1edf8bbae3f05c40d4974913cbbbc723a222270e2db4817

Download Submit
C:\ProgramData\TEMP:5D10C173

Filesize
111B

MD5
8ccb2021cbfb34c1135189708e41cb40

SHA1
2e3faa685130cfd296039d228f47a887d3480295

SHA256
40488b60cc92d13e8a6b3de3d6038a64e3edc63fdd2ba84a838e692feed9480f

SHA512
002e99421ca58ee09d905dd277f7427e225598abdb5718b0d266bbb62be67313e69df7ed75ed66c40e98bc460fcde5fe1edbbf82cf9a89a8e88481b1ab79ec8d

Download Submit
\Windows\SysWOW64\drivers\npf.sys

Filesize
41KB

MD5
243126da7ba441d7c7c3262dcf435a9c

SHA1
42616f7034c0f12e3e4a2166ebe082eb3f08223a

SHA256
80d36efd5b3abb82c421149d423e5019c21f203f085ae2655429a44bb5a9f5c0

SHA512
f5539774d89e8f025da97e7b49d143b7224fcf899db967a34445de70f9228ea5e2d5daffe6444492ce82a3dfb2734786e09140277c208ec1e64580ad74883e68

Download Submit
\Windows\SysWOW64\packet.dll

Filesize
64KB

MD5
e5fe6691fbc978c3414178657a6a348c

SHA1
6a468edb2a750de3045575cc0f87178def22d3a1

SHA256
2a8f767f9c15646b90a3d4437b2e68a8208cd1b022f7df5fb6e79ad1244cc9e0

SHA512
8c154f24071ce603862cef6257ae51bec228df5da7f40631bc242ec0568c5cd3c6735670f86e45089ff85e4359578ada79178a0a519c2256bd81d6645fd6ac33

Download Submit
\Windows\SysWOW64\packet.dll

Filesize
86KB

MD5
3eb0beb8e318646104362537570fc6bc

SHA1
3cb48ea9073fcca5835adad307e14ebf0cfe7279

SHA256
ab3f8c80b85aae70f89c8e7919d7dd147c2bc3ec68769e0bdb05fcc4083e3643

SHA512
db5fd16749641de6282d36af7b1921f908850ece3429ffe5ad33d990431bf4990f0314d28af082394af1f4d66516d9d89806a38e2801c34b4dd1ccb69bfafe47

Download Submit
\Windows\SysWOW64\svehost.exe

Filesize
704KB

MD5
85c321c256a8ce55058de11a9827a696

SHA1
a18a94e276ba2ea130521371aa1a075f1c3edfa7

SHA256
1a4a539a3df5eced5726507756830460afe0a650229e30a85845eb74da1b12af

SHA512
a4224ffcf456694df7b0fc5927e4962c3f66a950a65f2122e36529e3076d3ef7648db2e9f2549ac1dd754d06e0018d4619c3fa215ea11d2371b78e5b6d12b7cd

Download Submit
\Windows\SysWOW64\svehost.exe

Filesize
920KB

MD5
4241a9d1c5c43ec5db4c6fe23935db29

SHA1
9da6d0a308f3fb35e5b4addedf1682cc3c4db758

SHA256
e42b38f6ff18a062ec1311226207cb52c72055325bc8d38459a8ab08c5246991

SHA512
5160cbdbd2109f7efd4da0936e9077eb14f0399f505d14e15c12f67e9ff5404f381a309a48b644d69d1f033858d3663319a68210e032496da228c62b1b939d31

Download Submit
\Windows\SysWOW64\wpcap.dll

Filesize
128KB

MD5
11073c46e4913e3b743a9cde3e29034a

SHA1
12d1d773a9f92c606e1164b401525487d16f0cb0

SHA256
8b023dade14a92b39c2055944a649697082559b890da14b0bad7406eca723d5c

SHA512
d4792ef9d2e1903300c2abe71ec2b93704b69e5e6f037a2d774aab61519256de2fd624bef027223be85a3033344ad311995fca7bb2b3dbe3c253b1d4b77f23ce

Download Submit
\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
cb0afba4f0fb6ca2b2ea0d2c3e86b588

SHA1
2459367892e012314b451e05de1f1162448a05fa

SHA256
1b0fe60175c88f7cd3f3765b2f0f3eb1530b2e5e5b51f89a83e0322de32bdcf7

SHA512
a4e2d66af68dee67be5883c4770c1339b6be4847a993619389404af6a7ec9763361d9a14c632ca6704f63d84b05483f4bea2ec035b466fdaf03ce68c5cbca128

Download Submit
memory/1112-186-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1112-197-0x0000000001FB0000-0x0000000002045000-memory.dmp

Filesize
596KB

Download
memory/1112-198-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1112-180-0x0000000001EA0000-0x0000000001EA9000-memory.dmp

Filesize
36KB

Download
memory/1112-179-0x0000000001EA0000-0x0000000001EA9000-memory.dmp

Filesize
36KB

Download
memory/1112-161-0x0000000001FB0000-0x0000000002045000-memory.dmp

Filesize
596KB

Download
memory/1124-335-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1124-345-0x00000000006E0000-0x0000000000775000-memory.dmp

Filesize
596KB

Download
memory/1188-236-0x0000000000670000-0x0000000000705000-memory.dmp

Filesize
596KB

Download
memory/1188-239-0x0000000000670000-0x0000000000705000-memory.dmp

Filesize
596KB

Download
memory/1188-200-0x0000000000670000-0x0000000000705000-memory.dmp

Filesize
596KB

Download
memory/1188-217-0x0000000002150000-0x0000000002159000-memory.dmp

Filesize
36KB

Download
memory/1188-218-0x0000000002150000-0x0000000002159000-memory.dmp

Filesize
36KB

Download
memory/1188-224-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1188-188-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1188-226-0x0000000003530000-0x0000000003702000-memory.dmp

Filesize
1.8MB

Download
memory/1188-242-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1648-114-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1648-118-0x0000000002040000-0x00000000020D5000-memory.dmp

Filesize
596KB

Download
memory/1648-142-0x0000000000710000-0x0000000000719000-memory.dmp

Filesize
36KB

Download
memory/1648-131-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1648-141-0x0000000000710000-0x0000000000719000-memory.dmp

Filesize
36KB

Download
memory/1648-132-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1648-124-0x0000000002040000-0x00000000020D5000-memory.dmp

Filesize
596KB

Download
memory/1648-129-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1648-147-0x0000000003420000-0x00000000035F2000-memory.dmp

Filesize
1.8MB

Download
memory/1648-128-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1648-150-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1648-162-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1648-160-0x0000000002040000-0x00000000020D5000-memory.dmp

Filesize
596KB

Download
memory/2336-28-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2336-42-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2336-13-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2336-14-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2336-12-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2336-21-0x0000000002040000-0x0000000002055000-memory.dmp

Filesize
84KB

Download
memory/2336-11-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2336-31-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2336-10-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2336-7-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2336-34-0x0000000003360000-0x0000000003532000-memory.dmp

Filesize
1.8MB

Download
memory/2336-1-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2336-8-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2336-6-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2336-45-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2336-0-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2336-39-0x0000000003360000-0x0000000003532000-memory.dmp

Filesize
1.8MB

Download
memory/2476-303-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2476-311-0x0000000001F60000-0x0000000001FF5000-memory.dmp

Filesize
596KB

Download
memory/2476-328-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2476-329-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2476-333-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2476-344-0x0000000001F60000-0x0000000001FF5000-memory.dmp

Filesize
596KB

Download
memory/2476-349-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-113-0x0000000001F30000-0x0000000001FC5000-memory.dmp

Filesize
596KB

Download
memory/2568-77-0x0000000001F30000-0x0000000001FC5000-memory.dmp

Filesize
596KB

Download
memory/2568-117-0x0000000001F30000-0x0000000001FC5000-memory.dmp

Filesize
596KB

Download
memory/2568-109-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-108-0x0000000001F30000-0x0000000001FC5000-memory.dmp

Filesize
596KB

Download
memory/2568-107-0x0000000001F30000-0x0000000001FC5000-memory.dmp

Filesize
596KB

Download
memory/2568-105-0x0000000001FD0000-0x0000000001FD9000-memory.dmp

Filesize
36KB

Download
memory/2568-106-0x0000000001FD0000-0x0000000001FD9000-memory.dmp

Filesize
36KB

Download
memory/2568-102-0x00000000006F0000-0x0000000000705000-memory.dmp

Filesize
84KB

Download
memory/2568-95-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-98-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-99-0x0000000001F30000-0x0000000001FC5000-memory.dmp

Filesize
596KB

Download
memory/2568-96-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-97-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-93-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-92-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-88-0x0000000001F30000-0x0000000001FC5000-memory.dmp

Filesize
596KB

Download
memory/2568-119-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-78-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2724-301-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2724-278-0x0000000000840000-0x00000000008D5000-memory.dmp

Filesize
596KB

Download
memory/2724-321-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2724-319-0x0000000000840000-0x00000000008D5000-memory.dmp

Filesize
596KB

Download
memory/2724-309-0x0000000000840000-0x00000000008D5000-memory.dmp

Filesize
596KB

Download
memory/2724-266-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2724-305-0x00000000036F0000-0x00000000038C2000-memory.dmp

Filesize
1.8MB

Download
memory/2724-295-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2724-296-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2968-238-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2968-275-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2968-257-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/2968-258-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/2968-264-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2968-229-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2968-274-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/3000-69-0x0000000000350000-0x0000000000359000-memory.dmp

Filesize
36KB

Download
memory/3000-58-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3000-60-0x0000000001FB0000-0x0000000002045000-memory.dmp

Filesize
596KB

Download
memory/3000-86-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3000-70-0x0000000000350000-0x0000000000359000-memory.dmp

Filesize
36KB

Download
memory/3000-84-0x0000000001FB0000-0x0000000002045000-memory.dmp

Filesize
596KB

Download
memory/3000-59-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3000-71-0x0000000001FB0000-0x0000000002045000-memory.dmp

Filesize
596KB

Download
memory/3000-72-0x0000000001FB0000-0x0000000002045000-memory.dmp

Filesize
596KB

Download
memory/3000-65-0x00000000003E0000-0x00000000003F5000-memory.dmp

Filesize
84KB

Download
memory/3000-73-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3000-87-0x0000000001FB0000-0x0000000002045000-memory.dmp

Filesize
596KB

Download
memory/3000-56-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3000-57-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3000-54-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3000-53-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3000-50-0x0000000001FB0000-0x0000000002045000-memory.dmp

Filesize
596KB

Download
memory/3000-43-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3000-41-0x0000000001FB0000-0x0000000002045000-memory.dmp

Filesize
596KB

Download