85fe131e8476b16ad2fa2d3f892ca0a05f2f7edfbb619766a5a92ab2c12b7fba

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53af0d562c0df92f45a929434f6fd5d5.exe
Size

1.6MB
MD5

53af0d562c0df92f45a929434f6fd5d5
SHA1

a4ceab0387d2d668c620ec1027cf5311d5a77dc2
SHA256

85fe131e8476b16ad2fa2d3f892ca0a05f2f7edfbb619766a5a92ab2c12b7fba
SHA512

e15cb7af50491ba49595a3936dc03668f4c54a1d6a209a7aa9e3ec97182dc85321281b2b7797aad82b1a609d1c6ffce6b19198c6a9b5f0d644269dbda65d20e3
SSDEEP

49152:yTqeQlv3KvMFkWY0/Nw/xt3dqiQFZrB9ToLQaeSA8:zeQlv3KOkWj/Nw/z3ciIPoLxeX

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\npf.sys	spc0.38.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svohost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svohost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svohost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svohost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svohost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svohost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svohost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svohost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svohost.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spc0.38.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	spc0.38.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svohost.exe

Executes dropped EXE 11 IoCs

pid	Process
2648	spc0.38.exe
2664	CarBoosting.exe
2612	svohost.exe
1964	svohost.exe
2636	svohost.exe
2292	svohost.exe
2076	svohost.exe
2680	svohost.exe
728	svohost.exe
1568	svohost.exe
1092	svohost.exe

Loads dropped DLL 62 IoCs

pid	Process
2992	53af0d562c0df92f45a929434f6fd5d5.exe
2992	53af0d562c0df92f45a929434f6fd5d5.exe
2992	53af0d562c0df92f45a929434f6fd5d5.exe
2992	53af0d562c0df92f45a929434f6fd5d5.exe
2648	spc0.38.exe
2648	spc0.38.exe
2648	spc0.38.exe
2648	spc0.38.exe
2648	spc0.38.exe
2648	spc0.38.exe
2612	svohost.exe
2612	svohost.exe
2612	svohost.exe
2612	svohost.exe
2612	svohost.exe
2612	svohost.exe
1964	svohost.exe
1964	svohost.exe
1964	svohost.exe
1964	svohost.exe
1964	svohost.exe
1964	svohost.exe
2636	svohost.exe
2636	svohost.exe
2636	svohost.exe
2636	svohost.exe
2636	svohost.exe
2636	svohost.exe
2292	svohost.exe
2292	svohost.exe
2292	svohost.exe
2292	svohost.exe
2292	svohost.exe
2292	svohost.exe
2076	svohost.exe
2076	svohost.exe
2076	svohost.exe
2076	svohost.exe
2076	svohost.exe
2076	svohost.exe
2680	svohost.exe
2680	svohost.exe
2680	svohost.exe
2680	svohost.exe
2680	svohost.exe
2680	svohost.exe
728	svohost.exe
728	svohost.exe
728	svohost.exe
728	svohost.exe
728	svohost.exe
728	svohost.exe
1568	svohost.exe
1568	svohost.exe
1568	svohost.exe
1568	svohost.exe
1568	svohost.exe
1568	svohost.exe
1092	svohost.exe
1092	svohost.exe
1092	svohost.exe
1092	svohost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2992-0-0x0000000000400000-0x00000000006A2000-memory.dmp	upx
behavioral1/memory/2992-28-0x0000000000400000-0x00000000006A2000-memory.dmp	upx

Drops file in System32 directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wpcap.dll	svohost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svohost.exe
File opened for modification	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File created	C:\Windows\SysWOW64\packet.dll	svohost.exe
File opened for modification	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File opened for modification	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File created	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File opened for modification	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svohost.exe
File opened for modification	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File opened for modification	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File opened for modification	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File created	C:\Windows\SysWOW64\packet.dll	spc0.38.exe
File created	C:\Windows\SysWOW64\svohost.exe	spc0.38.exe
File created	C:\Windows\SysWOW64\packet.dll	svohost.exe
File created	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File created	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File created	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File created	C:\Windows\SysWOW64\packet.dll	svohost.exe
File created	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File created	C:\Windows\SysWOW64\packet.dll	svohost.exe
File created	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File opened for modification	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File created	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File created	C:\Windows\SysWOW64\packet.dll	svohost.exe
File created	C:\Windows\SysWOW64\packet.dll	svohost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svohost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svohost.exe
File created	C:\Windows\SysWOW64\packet.dll	svohost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	spc0.38.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svohost.exe
File created	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File created	C:\Windows\SysWOW64\packet.dll	svohost.exe
File opened for modification	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File created	C:\Windows\SysWOW64\svohost.exe	svohost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svohost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svohost.exe
File created	C:\Windows\SysWOW64\packet.dll	svohost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svohost.exe
File opened for modification	C:\Windows\SysWOW64\svohost.exe	spc0.38.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jvfatiwojFj\ = "l\|`UctU^il]PhqHbNA"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\eskkdlh\ = "ThAYIOdsbV\x7fSIpTgyk\x7fD_`"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu\ = "Z@Cs]TLRwAOQSkE`"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\gITlgG\ = "L~^\x7fNYRiyzFOxRiah_CYKz@ix"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu\ = "Z@CsuTLRwAD\x7fPHfP"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu\ = "Z@CshTLRwA@hRiBX"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu\ = "Z@CscTLRwAKAN`ZH"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ernhunfccoeu\ = "\x7fsxD^kaSrqOqPwKbEXSi@pPw[M^PJCCK"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu\ = "Z@Cs\\TLRwADQzsFT"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ = "Outlook Office Finder"	spc0.38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\gITlgG\ = "L~^\x7fNYRiyzFOxRiah_CYKz@ix"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ernhunfccoeu\ = "\x7fsxD^j[SrqOqPwKbEXSi@pPw[M^PJCCK"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu\ = "Z@CspTLRwAFXycfd"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ernhunfccoeu\ = "\x7fsxD^jTSrqOqPwKbEXSi@pPw[M^PJCCK"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi\ = "G\|kcxbsh]BcnUFoPez@NynW_USZe@R"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ernhunfccoeu\ = "\x7fsxD^jeSrqOqPwKbEXSi@pPw[M^PJCCK"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi\ = "G\|kcxbsh]BcnUFoPez@N~nW_USZeGR"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu\ = "Z@CsZTLRwAJEKyEl"	svohost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi\ = "G\|kcxbsh]BcnUFoPez@NxnW_USZeAR"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi\ = "G\|kcxbsh]BcnUFoPez@NxnW_USZeAR"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi\ = "G\|kcxbsh]BcnUFoPez@N\x7fnW_USZeFR"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jvfatiwojFj\ = "l\|`UctU^il]PhqHbNA"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\gITlgG\ = "L~^\x7fNYRiyzFOxRiah_CYKz@ix"	svohost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jvfatiwojFj	svohost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ernhunfccoeu	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ernhunfccoeu\ = "\x7fsxD^jJSrqOqPwKbEXSi@pPw[M^PJCCK"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ernhunfccoeu\ = "\x7fsxD^jTSrqOqPwKbEXSi@pPw[M^PJCCK"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu\ = "Z@CstTLRwAO\x7fyPed"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu\ = "Z@Cs^TLRwA@\|qdVx"	svohost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b004f00550054004c004f004f004b00460069006c00650073003e005500330069006f006b006a0040004a0069003f0035007600320062006600790076003d0046002c0000000000	spc0.38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi\ = "G\|kcxbsh]BcnUFoPez@N}nW_USZeDR"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jznwqpaqwA\ = "x`mXyJbRcMSOXEtKSVMfZQdX"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ernhunfccoeu\ = "\x7fsxD^kGSrqOqPwKbEXSi@pPw[M^PJCCK"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi\ = "G\|kcxbsh]BcnUFoPez@NsnW_USZeJR"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu\ = "Z@CssTLRwAN\|eXnl"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi\ = "G\|kcxbsh]BcnUFoPez@N}nW_USZeDR"	svohost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\gITlgG	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\gITlgG\ = "L~^\x7fNYRiyzFOxRiah_CYKz@ix"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\eskkdlh\ = "ThAYIOdsbV\x7fSIpTgyk\x7fD_`"	svohost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\LocalServer32	spc0.38.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jvfatiwojFj\ = "l\|`UctU^il]PhqHbNA"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi\ = "G\|kcxbsh]BcnUFoPez@NrnW_USZeKR"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\eskkdlh\ = "ThAYIOdsbV\x7fSIpTgyk\x7fD_`"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jznwqpaqwA\ = "x`mXyJbRcMSOXEtKSVMfZQdX"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi\ = "G\|kcxbsh]BcnUFoPez@N\x7fnW_USZeFR"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\eskkdlh\ = "ThAYIOdsbV\x7fSIpTgyk\x7fD_`"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu\ = "Z@CsmTLRwAAeSbLX"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jznwqpaqwA\ = "x`mXyJbRcMSOXEtKSVMfZQdX"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jvfatiwojFj\ = "l\|`UctU^il]PhqHbNA"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jvfatiwojFj\ = "l\|`UctU^il]PhqHbNA"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi\ = "G\|kcxbsh]BcnUFoPez@N\|nW_USZeER"	svohost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}	spc0.38.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jznwqpaqwA	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jvfatiwojFj\ = "l\|`UctU^il]PhqHbNA"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu\ = "Z@CswTLRwAEdRELP"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ernhunfccoeu\ = "\x7fsxD^kPSrqOqPwKbEXSi@pPw[M^PJCCK"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi\ = "G\|kcxbsh]BcnUFoPez@NynW_USZe@R"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ghfejEakwi\ = "G\|kcxbsh]BcnUFoPez@NqnW_USZeHR"	svohost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\eskkdlh	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\lUzu\ = "Z@CslTLRwAJezzOl"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\gITlgG\ = "L~^\x7fNYRiyzFOxRiah_CYKz@ix"	svohost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ernhunfccoeu\ = "\x7fsxD^krSrqOqPwKbEXSi@pPw[M^PJCCK"	svohost.exe

NTFS ADS 10 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svohost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svohost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svohost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svohost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svohost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svohost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svohost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svohost.exe
File created	C:\ProgramData\TEMP:466F9D5D	svohost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svohost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: 33	2648	spc0.38.exe
Token: SeIncBasePriorityPrivilege	2648	spc0.38.exe
Token: 33	2612	svohost.exe
Token: SeIncBasePriorityPrivilege	2612	svohost.exe
Token: 33	1964	svohost.exe
Token: SeIncBasePriorityPrivilege	1964	svohost.exe
Token: 33	2636	svohost.exe
Token: SeIncBasePriorityPrivilege	2636	svohost.exe
Token: 33	2292	svohost.exe
Token: SeIncBasePriorityPrivilege	2292	svohost.exe
Token: 33	2076	svohost.exe
Token: SeIncBasePriorityPrivilege	2076	svohost.exe
Token: 33	2680	svohost.exe
Token: SeIncBasePriorityPrivilege	2680	svohost.exe
Token: 33	728	svohost.exe
Token: SeIncBasePriorityPrivilege	728	svohost.exe
Token: 33	1568	svohost.exe
Token: SeIncBasePriorityPrivilege	1568	svohost.exe
Token: 33	1092	svohost.exe
Token: SeIncBasePriorityPrivilege	1092	svohost.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2648	2992	53af0d562c0df92f45a929434f6fd5d5.exe	28
PID 2992 wrote to memory of 2648	2992	53af0d562c0df92f45a929434f6fd5d5.exe	28
PID 2992 wrote to memory of 2648	2992	53af0d562c0df92f45a929434f6fd5d5.exe	28
PID 2992 wrote to memory of 2648	2992	53af0d562c0df92f45a929434f6fd5d5.exe	28
PID 2992 wrote to memory of 2664	2992	53af0d562c0df92f45a929434f6fd5d5.exe	29
PID 2992 wrote to memory of 2664	2992	53af0d562c0df92f45a929434f6fd5d5.exe	29
PID 2992 wrote to memory of 2664	2992	53af0d562c0df92f45a929434f6fd5d5.exe	29
PID 2992 wrote to memory of 2664	2992	53af0d562c0df92f45a929434f6fd5d5.exe	29
PID 2648 wrote to memory of 2612	2648	spc0.38.exe	30
PID 2648 wrote to memory of 2612	2648	spc0.38.exe	30
PID 2648 wrote to memory of 2612	2648	spc0.38.exe	30
PID 2648 wrote to memory of 2612	2648	spc0.38.exe	30
PID 2612 wrote to memory of 1964	2612	svohost.exe	31
PID 2612 wrote to memory of 1964	2612	svohost.exe	31
PID 2612 wrote to memory of 1964	2612	svohost.exe	31
PID 2612 wrote to memory of 1964	2612	svohost.exe	31
PID 1964 wrote to memory of 2636	1964	svohost.exe	34
PID 1964 wrote to memory of 2636	1964	svohost.exe	34
PID 1964 wrote to memory of 2636	1964	svohost.exe	34
PID 1964 wrote to memory of 2636	1964	svohost.exe	34
PID 2636 wrote to memory of 2292	2636	svohost.exe	35
PID 2636 wrote to memory of 2292	2636	svohost.exe	35
PID 2636 wrote to memory of 2292	2636	svohost.exe	35
PID 2636 wrote to memory of 2292	2636	svohost.exe	35
PID 2292 wrote to memory of 2076	2292	svohost.exe	36
PID 2292 wrote to memory of 2076	2292	svohost.exe	36
PID 2292 wrote to memory of 2076	2292	svohost.exe	36
PID 2292 wrote to memory of 2076	2292	svohost.exe	36
PID 2076 wrote to memory of 2680	2076	svohost.exe	37
PID 2076 wrote to memory of 2680	2076	svohost.exe	37
PID 2076 wrote to memory of 2680	2076	svohost.exe	37
PID 2076 wrote to memory of 2680	2076	svohost.exe	37
PID 2680 wrote to memory of 728	2680	svohost.exe	38
PID 2680 wrote to memory of 728	2680	svohost.exe	38
PID 2680 wrote to memory of 728	2680	svohost.exe	38
PID 2680 wrote to memory of 728	2680	svohost.exe	38
PID 728 wrote to memory of 1568	728	svohost.exe	39
PID 728 wrote to memory of 1568	728	svohost.exe	39
PID 728 wrote to memory of 1568	728	svohost.exe	39
PID 728 wrote to memory of 1568	728	svohost.exe	39
PID 1568 wrote to memory of 1092	1568	svohost.exe	40
PID 1568 wrote to memory of 1092	1568	svohost.exe	40
PID 1568 wrote to memory of 1092	1568	svohost.exe	40
PID 1568 wrote to memory of 1092	1568	svohost.exe	40

C:\Users\Admin\AppData\Local\Temp\53af0d562c0df92f45a929434f6fd5d5.exe
"C:\Users\Admin\AppData\Local\Temp\53af0d562c0df92f45a929434f6fd5d5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\spc0.38.exe
  "C:\Users\Admin\AppData\Local\Temp\spc0.38.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\svohost.exe
    C:\Windows\system32\svohost.exe 728 "C:\Users\Admin\AppData\Local\Temp\spc0.38.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\svohost.exe
      C:\Windows\system32\svohost.exe 748 "C:\Windows\SysWOW64\svohost.exe"
      4⤵
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\SysWOW64\svohost.exe
        
        C:\Windows\system32\svohost.exe 396 "C:\Windows\SysWOW64\svohost.exe"
        5⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\svohost.exe
        
        C:\Windows\system32\svohost.exe 756 "C:\Windows\SysWOW64\svohost.exe"
        6⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\svohost.exe
        
        C:\Windows\system32\svohost.exe 764 "C:\Windows\SysWOW64\svohost.exe"
        7⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\svohost.exe
        
        C:\Windows\system32\svohost.exe 776 "C:\Windows\SysWOW64\svohost.exe"
        8⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\svohost.exe
        
        C:\Windows\system32\svohost.exe 772 "C:\Windows\SysWOW64\svohost.exe"
        9⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\svohost.exe
        
        C:\Windows\system32\svohost.exe 768 "C:\Windows\SysWOW64\svohost.exe"
        10⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\svohost.exe
        
        C:\Windows\system32\svohost.exe 780 "C:\Windows\SysWOW64\svohost.exe"
        11⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
- C:\Users\Admin\AppData\Local\Temp\CarBoosting.exe
  "C:\Users\Admin\AppData\Local\Temp\CarBoosting.exe"
  2⤵
  - Executes dropped EXE
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:466F9D5D

Filesize
124B

MD5
bb2af97b1ab9978421ccf25201dd8696

SHA1
961f3674484f2203464f42b2bd5f15a4551e9bf2

SHA256
27536d59c43678234e2ea8a7f1aad1b5925b6adb7c41616b2fc0b3ea82ea00c4

SHA512
7d1a47683b59a793e286d9b18cdc79889cd878fe289fd388ab2ccb6117b7edd350a000cb6ae8072987a8cbaacbc8a85e1e3a166231a49633a84a90a9b66be63b

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
124B

MD5
a80e4ec1ad6f1d8b1c15da9ab2dad8cb

SHA1
ecdac3c4b2ab8cf8a764e7c6922cc8d9c9f7ea68

SHA256
a3a938b2132119fab0d42418641a8aa59e0e5ff645edf6a85813e7d86859298a

SHA512
fa17e43ca6f43d41eea15d5aa7840637bd32f179e88042cb5f072572be33de6a44fb1ef8d731567efb827b1a33789336d3b0806f79f90d44686acb2067a03392

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
124B

MD5
c4abcea05e662dfb62473752a7fc567e

SHA1
f3b87369aa3b5eb1962482ace0c23b7478c75e81

SHA256
2fb0a87b94afa90767e04a6ff8811727c414103d0550af1d2f31c035e5e5483c

SHA512
121ddbd19b820bf9bda8a29d73acb50c1fc3b6f63bdbefab7c08e4d3914ec239705a7cf0c7a179b23563dbe85818ecc05bcad79034ac426e6482191c85f3ac1c

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
124B

MD5
eebc4226c7599eae3a22d45d1b4080aa

SHA1
6406f24ca11c1b1a273d358c526d673e7d79d18e

SHA256
13a13f7c20f5f24e156cae12cb84fbb8fcdf4bbfd116462c2354f6175e58d45d

SHA512
99fadf278b81600eeb15e50a06461f4ae6a0e53f8a40ad22107889f78dc9a0aa4041c8da2892e9d96f0e97834849b79714d7a26943a7f4a27a54513b198ca921

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
124B

MD5
afa3100b558d8223dc6a6b8b9aba7003

SHA1
cc6fd00afa6c02c0acd8cf89352475259537dd45

SHA256
04253ee04ced3d26eb85974a9d31abebbb36351f662521dbe37dc3adca41c162

SHA512
05b591d9b63b3e6e7088cc854383c5c0083d6be06ee8bc11bdf725251e8b1b9b13dce42fac60472c2448192e9cc780a15c0eef2b0d37c489bf7ac9365c8b3620

Download Submit
\Users\Admin\AppData\Local\Temp\CarBoosting.exe

Filesize
1.6MB

MD5
96e424f6bdf21793f7ccb86e84ff8ad8

SHA1
29211a5d07d5bf3404f3ba73ab545cf2a7423752

SHA256
f77864ce4b24896a710612b3a120c254c59aa34168a3d3c0e5750b711c01b984

SHA512
d905044c30173976d33144ec172705f7fd3ea2c7b8b43f80d27a65d5230738b4ded8bcbd4cf5f975b18eeaf58e40f54701b9c04742558d581bab79166175aaf1

Download Submit
\Users\Admin\AppData\Local\Temp\spc0.38.exe

Filesize
924KB

MD5
e414106b396a367e565eca1a63acecec

SHA1
f64fd5d7acb881f5e4137b4e8c51c04a60a918c8

SHA256
5af2e1e6924aed43bbc9c4aa346594e031408e1919f8e7c33fd0659b227ac37d

SHA512
488a6199d9a46f4cb7aefb1415b8ce206342e402b534ae4e1a051e28c88d467fe3d2761d529b187dd77e4505ca8d408e97c25342e6e9fc3fc82c3b44b2c80d17

Download Submit
\Windows\SysWOW64\drivers\npf.sys

Filesize
41KB

MD5
243126da7ba441d7c7c3262dcf435a9c

SHA1
42616f7034c0f12e3e4a2166ebe082eb3f08223a

SHA256
80d36efd5b3abb82c421149d423e5019c21f203f085ae2655429a44bb5a9f5c0

SHA512
f5539774d89e8f025da97e7b49d143b7224fcf899db967a34445de70f9228ea5e2d5daffe6444492ce82a3dfb2734786e09140277c208ec1e64580ad74883e68

Download Submit
\Windows\SysWOW64\drivers\npf.sys

Filesize
19KB

MD5
5040168478f601e60d06f912c55c5fe3

SHA1
0c3194b774e11d09bada8ce0625ed1d1709a1d51

SHA256
6e1b3b8a2a85cdb512c14c6353a6dfa6be5c2b7722c6ad6235b1ab8ab42cb0bb

SHA512
b6f5d484e274d95522975e5f0de7daf51b7c2c152bd798b4797e3d9a884c780060bff07b06dc4e929f889e121fdfa24c1d49ca145288482db21a2789fb031685

Download Submit
\Windows\SysWOW64\packet.dll

Filesize
86KB

MD5
3eb0beb8e318646104362537570fc6bc

SHA1
3cb48ea9073fcca5835adad307e14ebf0cfe7279

SHA256
ab3f8c80b85aae70f89c8e7919d7dd147c2bc3ec68769e0bdb05fcc4083e3643

SHA512
db5fd16749641de6282d36af7b1921f908850ece3429ffe5ad33d990431bf4990f0314d28af082394af1f4d66516d9d89806a38e2801c34b4dd1ccb69bfafe47

Download Submit
\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
cb0afba4f0fb6ca2b2ea0d2c3e86b588

SHA1
2459367892e012314b451e05de1f1162448a05fa

SHA256
1b0fe60175c88f7cd3f3765b2f0f3eb1530b2e5e5b51f89a83e0322de32bdcf7

SHA512
a4e2d66af68dee67be5883c4770c1339b6be4847a993619389404af6a7ec9763361d9a14c632ca6704f63d84b05483f4bea2ec035b466fdaf03ce68c5cbca128

Download Submit
memory/728-332-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/728-303-0x0000000001F20000-0x0000000001FB5000-memory.dmp

Filesize
596KB

Download
memory/728-293-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/728-316-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/728-320-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/728-322-0x0000000003670000-0x0000000003842000-memory.dmp

Filesize
1.8MB

Download
memory/728-331-0x0000000001F20000-0x0000000001FB5000-memory.dmp

Filesize
596KB

Download
memory/728-336-0x0000000001F20000-0x0000000001FB5000-memory.dmp

Filesize
596KB

Download
memory/1568-333-0x0000000000340000-0x00000000003D5000-memory.dmp

Filesize
596KB

Download
memory/1568-346-0x0000000002290000-0x0000000002299000-memory.dmp

Filesize
36KB

Download
memory/1568-350-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1964-144-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1964-136-0x0000000002000000-0x0000000002095000-memory.dmp

Filesize
596KB

Download
memory/1964-132-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1964-131-0x0000000002000000-0x0000000002095000-memory.dmp

Filesize
596KB

Download
memory/1964-130-0x0000000002000000-0x0000000002095000-memory.dmp

Filesize
596KB

Download
memory/1964-129-0x00000000003D0000-0x00000000003D9000-memory.dmp

Filesize
36KB

Download
memory/1964-128-0x00000000003D0000-0x00000000003D9000-memory.dmp

Filesize
36KB

Download
memory/1964-125-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/1964-122-0x0000000002000000-0x0000000002095000-memory.dmp

Filesize
596KB

Download
memory/1964-121-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1964-120-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1964-119-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1964-118-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1964-141-0x0000000002000000-0x0000000002095000-memory.dmp

Filesize
596KB

Download
memory/1964-116-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1964-115-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1964-100-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1964-111-0x0000000002000000-0x0000000002095000-memory.dmp

Filesize
596KB

Download
memory/1964-105-0x0000000002000000-0x0000000002095000-memory.dmp

Filesize
596KB

Download
memory/2076-230-0x0000000000360000-0x00000000003F5000-memory.dmp

Filesize
596KB

Download
memory/2076-263-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2076-261-0x0000000000360000-0x00000000003F5000-memory.dmp

Filesize
596KB

Download
memory/2076-250-0x0000000003590000-0x0000000003762000-memory.dmp

Filesize
1.8MB

Download
memory/2076-244-0x00000000002B0000-0x00000000002B9000-memory.dmp

Filesize
36KB

Download
memory/2076-243-0x00000000002B0000-0x00000000002B9000-memory.dmp

Filesize
36KB

Download
memory/2076-213-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2292-227-0x0000000001F70000-0x0000000002005000-memory.dmp

Filesize
596KB

Download
memory/2292-232-0x0000000001F70000-0x0000000002005000-memory.dmp

Filesize
596KB

Download
memory/2292-180-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2292-229-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2292-210-0x0000000003410000-0x00000000035E2000-memory.dmp

Filesize
1.8MB

Download
memory/2292-205-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2292-204-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2292-187-0x0000000001F70000-0x0000000002005000-memory.dmp

Filesize
596KB

Download
memory/2612-92-0x0000000000670000-0x0000000000679000-memory.dmp

Filesize
36KB

Download
memory/2612-81-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2612-76-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2612-75-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2612-79-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2612-71-0x0000000001F70000-0x0000000002005000-memory.dmp

Filesize
596KB

Download
memory/2612-62-0x0000000001F70000-0x0000000002005000-memory.dmp

Filesize
596KB

Download
memory/2612-65-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2612-80-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2612-78-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2612-82-0x0000000001F70000-0x0000000002005000-memory.dmp

Filesize
596KB

Download
memory/2612-91-0x0000000000670000-0x0000000000679000-memory.dmp

Filesize
36KB

Download
memory/2612-87-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download
memory/2612-93-0x0000000001F70000-0x0000000002005000-memory.dmp

Filesize
596KB

Download
memory/2612-106-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2612-94-0x0000000001F70000-0x0000000002005000-memory.dmp

Filesize
596KB

Download
memory/2612-103-0x0000000001F70000-0x0000000002005000-memory.dmp

Filesize
596KB

Download
memory/2612-104-0x00000000034D0000-0x00000000036A2000-memory.dmp

Filesize
1.8MB

Download
memory/2612-95-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2612-98-0x00000000034D0000-0x00000000036A2000-memory.dmp

Filesize
1.8MB

Download
memory/2636-182-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2636-147-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2636-173-0x00000000032D0000-0x00000000034A2000-memory.dmp

Filesize
1.8MB

Download
memory/2636-171-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2636-184-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2636-165-0x00000000020A0000-0x00000000020A9000-memory.dmp

Filesize
36KB

Download
memory/2636-177-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2636-164-0x00000000020A0000-0x00000000020A9000-memory.dmp

Filesize
36KB

Download
memory/2636-154-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2636-152-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2636-151-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2636-138-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2636-137-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2648-74-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2648-35-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2648-37-0x0000000000350000-0x00000000003E5000-memory.dmp

Filesize
596KB

Download
memory/2648-51-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2648-63-0x00000000032A0000-0x0000000003472000-memory.dmp

Filesize
1.8MB

Download
memory/2648-52-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2648-12-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2648-69-0x0000000000350000-0x00000000003E5000-memory.dmp

Filesize
596KB

Download
memory/2648-44-0x00000000002B0000-0x00000000002C5000-memory.dmp

Filesize
84KB

Download
memory/2648-13-0x0000000000350000-0x00000000003E5000-memory.dmp

Filesize
596KB

Download
memory/2648-36-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2648-21-0x0000000000350000-0x00000000003E5000-memory.dmp

Filesize
596KB

Download
memory/2648-30-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2648-31-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2648-33-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2648-34-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2680-288-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2680-300-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2680-255-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2680-304-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2680-301-0x0000000002050000-0x0000000002059000-memory.dmp

Filesize
36KB

Download
memory/2680-291-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2680-302-0x0000000002050000-0x0000000002059000-memory.dmp

Filesize
36KB

Download
memory/2680-281-0x0000000002050000-0x0000000002059000-memory.dmp

Filesize
36KB

Download
memory/2680-264-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2680-282-0x0000000002050000-0x0000000002059000-memory.dmp

Filesize
36KB

Download
memory/2992-28-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2992-15-0x0000000002910000-0x0000000002AE2000-memory.dmp

Filesize
1.8MB

Download
memory/2992-10-0x0000000002910000-0x0000000002AE2000-memory.dmp

Filesize
1.8MB

Download
memory/2992-0-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download